[Box Backup] Question about certificates

Chris Wilson boxbackup@fluffy.co.uk
Thu, 2 Aug 2007 19:50:07 +0100 (BST)


Hi Nuno,

On Thu, 2 Aug 2007, Nuno Fernandes wrote:

>>> Can't i use the same CA to validate servers and clients?
>>
>> You can, but it's not secure. It allows one of your clients to pretend to
>> be a valid server for any other client.
>
> It's not secure? Why not? A client can only pretend to be a server with the
> name BACKUP-X where X is the client number. If another client would connect
> to server1.domain.com and a client would only have a certificate with the
> common name of BACKUP-X and not server1.domain.com.

I'm not 100% sure, but I don't think the client verifies the CN of the 
server certificate at all, except that it was signed by the expected CA. 
So it doesn't matter that the server has a "name" of BACKUP-1 or anything 
else, as long as it was signed by the ServerCA, which in your case would 
be the same as the ClientCA.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |