[Standards] TLS certificate fun
Dave Cridland
dave at cridland.net
Tue May 13 11:51:00 CDT 2008
On Tue May 13 17:16:39 2008, Shumon Huque wrote:
> I personally think we want to encourage the use of a generalized
> name form rather than an XMPP specific one. It will be much
> easier to get commercial CAs and other entities down the road
> to issue certs with general purpose extensions.
Kind of - I'd prefer that certificates intended to be used as
authorization to act as a particular jid should use id-on-xmppAddr.
XMPP Peer/Server identification is a particular case of this, but can
also be treated as a general form of SRV based lookup and
authentication, so either is probably useful in this case. Note that
servers using RFC 4985 would either require different certficates on
C2S and S2S ports, or else use a certificate with at least two
SRVNames.
My (cynical) bet is that obtaining a single certificate with multiple
SRVNames will be just as hard/expensive/annoying as it is to obtain a
certificate with id-on-xmppAddr in - if for no other reason than the
commercial CAs will spot a way of making more money by forcing you to
get two certificates for the price of two, whereas the xmppAddr style
is at least usable for all XMPP-related purposes, including C2S
client authentication.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards
mailing list