[Operators] new cert format

Peter Saint-Andre stpeter at stpeter.im
Tue Jul 15 14:49:36 CDT 2008


We seem to have consensus about adding id-on-dnsSRV (see RFC 4985) to 
the certificate generation format in rfc3920bis. Details are in Section 
15.2.1.1 of the spec:

http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-06.html#security-certificates-generation-server

Now I'm looking into adding that field to the certs issued by the XMPP 
ICA <https://www.xmpp.net/>.

So a few questions and points of interest:

1. RFC 4985 doesn't say anything about wildcards so I assume those are 
out (they're probably not even allowed by RFC 2782).

2. Do we include the id-on-dnsSRV field only if admins specify that they 
have DNS SRV records? That seems overly complex. Just include it in case 
they get their DNS act together.

3. The new cert format should be backward compatible because all we're 
doing is adding the id-on-dnsSRV. New clients and servers will look for 
it but old ones will just ignore it.

Does anyone have questions or concerns about this change? I plan to make 
this a reality soon...

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080715/bb50fd34/attachment.bin 


More information about the Operators mailing list