[Standards] compliance: cert(s)

Peter Saint-Andre stpeter at jabber.org
Thu Jun 14 17:48:19 CDT 2007


Matthias Wimmer wrote:
> Peter Saint-Andre schrieb:
>> Would it be appropriate to recommend that client and server developers 
>> bundle support for the root certificate under which the XMPP ICA 
>> issues domain certificates?
> 
> I thought compliance is about supported protocols and not about deployment.

That's correct. This would be in the implementation notes.

My proposed text for the implementation notes in XEP-0211 (Client) is:

******

3. Implementation Notes

Some of the protocol specifications referenced herein have their own 
dependencies; developers must refer to the relevant specifications for 
further information.

Developers are advised to refer to Best Practices for Use of SASL 
EXTERNAL [10] regarding proper implementation of the SASL EXTERNAL 
mechanism in XMPP. Given the wide deployment of domain certificates 
issued by the XMPP Intermediate Certification authority, developers 
should also consider bundling the root certificate of the StartCom Free 
SSL Certification Authority [11] with their software. [12]

...

10. XEP-0178: Best Practices for Use of SASL EXTERNAL 
<http://www.xmpp.org/extensions/xep-0178.html>.

11. The StartCom Free SSL Certification Authority is a certification 
authority that offers free or low-cost X.509 certificates to Internet 
user and server administrators. It is is also the root CA for the XMPP 
Intermediate Certification Authority run by the XMPP Standards 
Foundation. For further information, see <http://cert.startcom.org/>.

12. The root certificate is located at 
"http://cert.startcom.org/ca.crt". It is not necessary for clients to 
bundle the ICA certificate since the full certificate chain should be 
presented by deployed servers.

******

And for XEP-0212 (Server):

******

3. Implementation Notes

Some of the protocol specifications referenced herein have their own 
dependencies; developers must refer to the relevant specifications for 
further information.

Developers are advised to refer to Best Practices for Use of SASL 
EXTERNAL [10] regarding proper implementation of the SASL EXTERNAL 
mechanism in XMPP. Given the wide deployment of domain certificates 
issued by the XMPP Intermediate Certification authority, developers 
should also consider bundling the root certificate of the StartCom Free 
SSL Certification Authority [11] with their software. [12]

...

10. XEP-0178: Best Practices for Use of SASL EXTERNAL 
<http://www.xmpp.org/extensions/xep-0178.html>.

11. The StartCom Free SSL Certification Authority is a certification 
authority that offers free or low-cost X.509 certificates to Internet 
user and server administrators. It is is also the root CA for the XMPP 
Intermediate Certification Authority run by the XMPP Standards 
Foundation. For further information, see <http://cert.startcom.org/>.

12. The root certificate is located at 
"http://cert.startcom.org/ca.crt". It is recommended for servers to also 
bundle the ICA certificate since the full certificate chain should be 
presented by deployed servers; the ICA certificate is located at 
"http://cert.startcom.org/sub.class1.xmpp.ca.crt".

******

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20070614/2b989f74/smime.bin


More information about the Standards mailing list