[stunnel-users] Common Name checking

Michal Trojnara Michal.Trojnara at mobi-com.net
Wed Jul 15 12:22:01 CEST 2009


Mark Bolton wrote:
> Thanks for your reply, however a CRL will only help if we find out  
> about it.
> 
> We want to prevent it from happening of course, but we want to remove  
> the incentive as well. With a CRL, there is a window of opportunity  
> between the time the cert is stolen and when the theft is discovered.  
> How can we close that window?

You mean the private key and not the certificate, right?  I'm afraid you
can't.  The security of public-key cryptography is based on the security of
private keys.

Web browsers implement some DNS checks.  Since you can spoof DNS, it's not
something you can rely on.

In some cases it's also possible to implement some sort of IP-based access
control.  This is a pain to maintain and not really a bulletproof solution.

Best regards,
    Mike



More information about the stunnel-users mailing list