[stunnel-users] Common Name checking
Michal.Trojnara at mobi-com.net
Wed Jul 15 12:22:01 CEST 2009
Mark Bolton wrote:
> Thanks for your reply, however a CRL will only help if we find out
> about it.
> We want to prevent it from happening of course, but we want to remove
> the incentive as well. With a CRL, there is a window of opportunity
> between the time the cert is stolen and when the theft is discovered.
> How can we close that window?
You mean the private key and not the certificate, right? I'm afraid you
can't. The security of public-key cryptography is based on the security of
Web browsers implement some DNS checks. Since you can spoof DNS, it's not
something you can rely on.
In some cases it's also possible to implement some sort of IP-based access
control. This is a pain to maintain and not really a bulletproof solution.
More information about the stunnel-users