On Mon, Sep 12, 2011 at 4:39 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
If I have a thawte cert for valdis.com on host A and one from comodo on host B... which is the right one?
You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when you got to the IP address you were trying to reach, the cert didn't validate as matching the hostname, you know something fishy is up.
And if you *do* have two certs for it, I'd like to talk to the bozos at Thawte and Comodo who obviously didn't check the paperwork. ;)
this has already happened with mozilla.com, google.com, microsoft.com .... my point was that as a user, and as a service operator, what in today's CA world helps me know that the service operator's certificate is what my user-client sees? some 'trust' in the fact that thawte/comodo/verisign/cnnic didn't issue a cert for the service-operator's service incorrectly? I think I need a method that the service operator can use to signal to my user-client outside the certificate itself that the certificate #1234 is the 'right' one.