Difference between revisions of "The Knight"

Jump to navigation Jump to search
No change in size ,  15:39, 13 August 2014
m
→‎How you're meant to do it: lowercase two characters
(Created page with "== Preface == Written by Dave Cridland, with review and comments by Matthew Miller. == The Knight's Tale == The brave Knight approached the Wizard with some caution, becaus...")
 
m (→‎How you're meant to do it: lowercase two characters)
 
Line 101: Line 101:
== How you're meant to do it ==
== How you're meant to do it ==


When authenticating a certificate, you look for a SAN which matches the asserted identity. So if a remote site asserts it is the XMPP server for dave.cridland.net, you can look for a SAN which proves it - which could be a SrvName of _xmpp-server.dave.cridland.net, or a uRIName of xmpp:dave.cridland.net, or a dNSName or dave.cridland.net or ...
When authenticating a certificate, you look for a SAN which matches the asserted identity. So if a remote site asserts it is the XMPP server for dave.cridland.net, you can look for a SAN which proves it - which could be a srvName of _xmpp-server.dave.cridland.net, or a uRIName of xmpp:dave.cridland.net, or a dNSName or dave.cridland.net or ...


If there are no SANs of a suitable type (none, or only, say, a directoryName) then you drop to looking for a Common Name within the Subject. This is normally referred to as "The Common Name of the cert", which makes as much sense as "The letter of your name".
If there are no SANs of a suitable type (none, or only, say, a directoryName) then you drop to looking for a Common Name within the Subject. This is normally referred to as "The Common Name of the cert", which makes as much sense as "The letter of your name".
Line 107: Line 107:
You're always dealing with the name typed by the user, or something you can securely derive from that. So if you start off which dwd@dave.cridland.net, then you can securely derive the domain dave.cridland.net from it. However, if there's DNSSEC involved, then you could use the hostname if the SRV record were securely signed.
You're always dealing with the name typed by the user, or something you can securely derive from that. So if you start off which dwd@dave.cridland.net, then you can securely derive the domain dave.cridland.net from it. However, if there's DNSSEC involved, then you could use the hostname if the SRV record were securely signed.


Proving that the certificate is valid, though, means also checking the issuer chain of the certificate ends in a Certification AUthority which is itself one of your known trust anchors. Alternately - and when I wrote the above, this was still fairly vague - DNSSEC can provide indications of what certificates are valid, either by suggesting alternate trust anchors, or specifying the certificate itself.
Proving that the certificate is valid, though, means also checking the issuer chain of the certificate ends in a Certification Authority which is itself one of your known trust anchors. Alternately - and when I wrote the above, this was still fairly vague - DNSSEC can provide indications of what certificates are valid, either by suggesting alternate trust anchors, or specifying the certificate itself.


If someone builds a viable Quantum Computer, though, then all bets are off.
If someone builds a viable Quantum Computer, though, then all bets are off.
43

edits

Navigation menu