[jdev] JID and X.509

Peter Saint-Andre stpeter at jabber.org
Tue Mar 7 14:05:03 CST 2006

Hash: SHA1

Heiner Wolf wrote:
> Hi
> I am writing a Jabber CA. 

Good luck. It's no fun to be a certification authority.

> I would like to sign a certificate which
> certifies that the holder of the certificate owns the JID, that is
> embedded in the certificate. I will issue X.509 certificates. Where
> in X.509 should the JID be stored and how?

This is explained in Section 5.1 of RFC 3920:




If a JID for any kind of XMPP entity (e.g., client or server) is
represented in a certificate, it MUST be represented as a UTF8String
within an otherName entity inside the subjectAltName, using the [ASN.1]
Object Identifier "id-on-xmppAddr" specified in Section 5.1.1 of this


See also http://www.xmpp.org/specs/rfc3920.html#tls-overview-oid for the
ASN.1 definition.

> Canditates for storing the JID are: userID id-on-xmppAddr

RFC 3920 is clear on this. I would say that userID is not a candidate
(although RFC 3920 does not prohibit that, since it says only that the
JID MUST be stored as an otherName in the subjectAltName, IMHO it is not
a good idea to store the same information in two places).

> Any other ideas? BTW: What means "id-on-" in id-on-xmppAddr? Why nt
> just "xmppAddr"?

It's ASN.1 madness, don't ask.

> Next question: how will it be stored: user at jabber.org 
> jabber:user at jabber.org xmpp:user at jabber.org

It will be stored as a JID of the form "node at domain.tld". It will not be
stored as an XMPP URI (i.e., with a "xmpp:" prefix). It will not be
stored with a "jabber:" prefix since no document defines that prefix.


- --
Peter Saint-Andre
Jabber Software Foundation

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20060307/eca8db3f/attachment-0002.bin>

More information about the JDev mailing list