[Operators] new cert format

Jesse Thompson jesse.thompson at doit.wisc.edu
Wed Jul 16 10:17:47 CDT 2008


Peter Saint-Andre wrote:
> We seem to have consensus about adding id-on-dnsSRV (see RFC 4985) to
> the certificate generation format in rfc3920bis. Details are in Section
> 15.2.1.1 of the spec:
> 
> http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-06.html#security-certificates-generation-server
> 
> 
> Now I'm looking into adding that field to the certs issued by the XMPP
> ICA <https://www.xmpp.net/>.
> 
> So a few questions and points of interest:
> 
> 1. RFC 4985 doesn't say anything about wildcards so I assume those are
> out (they're probably not even allowed by RFC 2782).
> 
> 2. Do we include the id-on-dnsSRV field only if admins specify that they
> have DNS SRV records? That seems overly complex. Just include it in case
> they get their DNS act together.
> 
> 3. The new cert format should be backward compatible because all we're
> doing is adding the id-on-dnsSRV. New clients and servers will look for
> it but old ones will just ignore it.
> 
> Does anyone have questions or concerns about this change? I plan to make
> this a reality soon...
> 
> /psa

Does this do anything to help servers that host lots of virtual domains?

I'm not sure what exactly you mean by your statement about wildcard
certificates, but elimination of wildcard certificates for hosting
providers makes it even more difficult (even though wildcard
certificates are themselves inadequate for many hosting providers.)

Jesse

-- 
  Jesse Thompson
  Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3353 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080716/521f7130/attachment.bin 


More information about the Operators mailing list