> It also seems you should be able to reasonably trust that the server
> providing the cert has the corresponding private key, otherwise SSL
> wouldn't work, because SSL uses public-key crypto to exchange session keys,
> right? So if you trust the cert chain and its CA, and you trust the
> private key as uncompromised, then I think you can trust the connection as
> having no MITM.
It's a off-the-shelf browser connecting to my SSL-protected service
which masquerades as a Web server. I don't get to make decisions
about what the client will or will not do.
> If you don't trust the CA, then it doesn't matter that the
> FQDN matches.
Sure.
> I'm also wondering whether you're using the JDK 1.4+ endpoint-oriented
> networking API, such as the SocketAddress & NetworkInterface classes, and
> corresponding methods in Socket and ServerSocket. Because I thought those
> allowed for enumeration of multiple network interfaces, and provided the
> proper multi-homed name lookups.
Yes, that's what I was trying to get the FQDN with, but I haven't
found an answer there yet. Maybe I missed it; can someone else point
it out?
Bill
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden
