From: spamtrap47@adelphia.net   
      
   kate0104@hotmail.com wrote:   
   > Larry Riffle wrote:   
   >   
   >>kate0104@hotmail.com wrote:   
   >>   
   >>>Suppose someone is able to compromise my DNS   
   >>>Suppose now I try to establish an IPSec tunnel to my Cisco   
   >   
   > concentrator   
   >   
   >>>but I end up connecting to a different malicious concentrator.   
   >>>Suppose this malicious concentrator has a valid Certificate signed   
   >   
   > by a   
   >   
   >>>known CA.   
   >>>Would my Cisco VPN client realize there's something wrong during   
   >   
   > its   
   >   
   >>>peer identity validation ?   
   >>>   
   >>>thank you for your answers   
   >>>   
   >>   
   >>Unless somebody has pulled one over on the CA the common name won't   
   >   
   > match.   
   >   
   > So is the host name I enter in my Cisco VPN client checked against the   
   > common name ? or does my client only verify I'm connecting with a   
   > concentrator with a valid certificate (even if belonging to a   
   > completely different concentrator) ?   
   > What is not clear to me (and I haven't been able to find some   
   > clarifying document on Cisco website) is if the ip address / hostname I   
   > enter in my Cisco client are checked against some field in the   
   > concentrator (valid) certificate.   
   >   
      
   I can't speak to that specific product. If they don't compare the   
   endpoint name to the common name or a subject alternate name then I   
   don't see how they can legitimately call what they do X509 certificate   
   support.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)