As I understand them, SSL certificates contain a domain name, a public key and the giving CA.
Why is it important to include a domain name?
Why isn't it enough that the CA considers the public key as trusted and that the said server indeed has the private key associated with it?
Asked
Active
Viewed 290 times
0
Neo
- 103
- 2
2 Answers
2
Because, when using the PKI, you do want the CA to confirm for you that the holder of the key is indeed the legitimate owner of the domain.
If if worked as you suggested, I could get a certificate and MITM your server, posing as your server on your domain and present a valid certificate (as the domain I'm presenting it for is not restricted).
The CA does not confirm that the holder of a key is trustworthy but does confirm that the holder of the key is also the legitimate holder of the domain.
Tobi Nary
- 14,302
- 8
- 43
- 58
2
Identity. The fact that server possessed the private key is good, but you still need to know who you talk to. Particular CA issues certificates to thousands entities and when you go to stackoverflow.com, you expect that stackoverflow.com will respond to you, not any other web site that has its own certificate from the same issuer.
A simple example: you are a postal courier and need to deliver a parcel to (say) John Smith (this name is printed on an envelope). But you don't know John Smith in person. Ok, you find his house by address. Someone claims that he is John Smith. You have to verify his claims, ask for documents (driving license or ID card). Ok, he presents his card (proves that he owns that card) to you. The fact that he owns some well trusted card means too little. You have to read the name printed on the card. And only when name on a card matches the name on a parcel -- then you can safely give him parcel. And you won't if names don't match.
In other words, domain name in the certificate ensures that you are the entity you claim to be.
Crypt32
- 5,750
- 12
- 24