[jdev] JID and X.509
stpeter at jabber.org
Tue Mar 7 14:05:03 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Heiner Wolf wrote:
> I am writing a Jabber CA.
Good luck. It's no fun to be a certification authority.
> I would like to sign a certificate which
> certifies that the holder of the certificate owns the JID, that is
> embedded in the certificate. I will issue X.509 certificates. Where
> in X.509 should the JID be stored and how?
This is explained in Section 5.1 of RFC 3920:
If a JID for any kind of XMPP entity (e.g., client or server) is
represented in a certificate, it MUST be represented as a UTF8String
within an otherName entity inside the subjectAltName, using the [ASN.1]
Object Identifier "id-on-xmppAddr" specified in Section 5.1.1 of this
See also http://www.xmpp.org/specs/rfc3920.html#tls-overview-oid for the
> Canditates for storing the JID are: userID id-on-xmppAddr
RFC 3920 is clear on this. I would say that userID is not a candidate
(although RFC 3920 does not prohibit that, since it says only that the
JID MUST be stored as an otherName in the subjectAltName, IMHO it is not
a good idea to store the same information in two places).
> Any other ideas? BTW: What means "id-on-" in id-on-xmppAddr? Why nt
> just "xmppAddr"?
It's ASN.1 madness, don't ask.
> Next question: how will it be stored: user at jabber.org
> jabber:user at jabber.org xmpp:user at jabber.org
It will be stored as a JID of the form "node at domain.tld". It will not be
stored as an XMPP URI (i.e., with a "xmpp:" prefix). It will not be
stored with a "jabber:" prefix since no document defines that prefix.
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the JDev