Contents Index Using a global certificate as a server certificate Verifying fields in certificate chains

MobiLink Synchronization User's Guide
  Transport-Layer Security

Verifying certificate fields

Global certificates have one potentially serious flaw. Because the MobiLink clients, as configured above, trust all certificates signed by the certificate authority, they may also trust certificates that the same certificate authority has issued to other companies. Without a means to discriminate, your clients might mistake a competitor's MobiLink synchronization server for your own and accidentally send it sensitive information.

Similar precautions can be required in other scenarios. A company may use an enterprise certificate, but it may still be important to verify with which department a MobiLink client is connected.

This problem can be resolved by requiring your clients to test the value of fields in the identity portion of the certificate. Three fields in the certificate can be verified. You can verify any or all of the following three fields:

To verify the fields, you supply the acceptable value. For example, the following SQL statement tells an Adaptive Server Anywhere client to check all three fields and to accept only the named values:

CREATE SYNCHRONIZATION SUBSCRIPTION
FOR 'user01'
TO test
ADDRESS 'port=3333;security=ecc_tls(    trusted_certificates=certicom.crt;
   certificate_company=Sybase, Inc.;
   certificate_unit=iAnywhere;certificate_name=sample )'

You can verify the fields from an UltraLite client in a similar manner. The precise syntax depends upon the interface used to build the application. The following fragment of C code accomplishes the same task when developing the UltraLite application using embedded SQL in C or C++:

ul_synch_info info;
. . .
info.security_parms =
   UL_TEXT ( "certificate_company=Sybase, Inc." )
   UL_TEXT ( ";" )
   UL_TEXT ( "certificate_unit=iAnywhere" )
   UL_TEXT ( ";" )
   UL_TEXT ( "certificate_name=sample" );
. . .
ULSynchronize( &info );

This example verifies all three fields. You can instead choose to verify only one or two fields.

Verifying fields in certificate chains
Using a globally-signed certificate as an enterprise certificate

Contents Index Using a global certificate as a server certificate Verifying fields in certificate chains