[Standards-JIG] wildcards in certs
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Tue Nov 21 17:37:24 CST 2006
On Tuesday 21 November 2006 2:55 pm, Peter Saint-Andre wrote:
> Matthias Wimmer wrote:
> > I'd prefer to use the dNSName OID to be used for such wildcarded
> > addresses. In my optinion id-on-xmppAddr should be limited to only
> > contain valid XMPP addresses, and a wildcarded domain is no valid XMPP
> > address.
> >
> > Therefore I'd like to see wildcard support, but I am against using
> > id-on-xmppAddr for this.
>
> That makes sense. Someone told me recently that the dNSName could only
> be used for HTTP domains but I don't see anything in the specs that
> limits it. I need to check on that further.
RFC 3920, section 14.2, would seem to suggest that this is already possible:
"The certificate SHOULD then be checked against the expected identity of the
peer following the rules described in [HTTP‑TLS], except that a
subjectAltName extension of type "xmpp" MUST be used as the identity if
present."
I read this as: if id-on-xmppAddr is present, then use it, otherwise validate
using HTTP-TLS rules. In the latter case, this means dNSName, and
wildcarding. It is nice to get stuff for free. :)
I can only suggest making it more explicit that nodeless entities are not
required to use id-on-xmppAddr, and that dNSName can be used instead if
wildcarding is desired.
-Justin
More information about the Standards-JIG
mailing list