[Operators] server certs for XMPP and SIP

Peter Saint-Andre stpeter at stpeter.im
Fri Jan 27 22:38:34 UTC 2012

On 1/27/12 3:11 PM, Daniel Pocock wrote:
> I've got two questions:
> - what are the specifications for a subjectAltName (SAN) cert that can
> be used for both Jabber and SIP?
> - which CAs have been reliable in providing such certs?
> Background info that I found:
> - I understand the certs used to differ (SIP used the dNSName record
> type, while Jabber used otherName xmppAddr)
> - since the revised RFC 6120, Jabber now supports dNSName, same as SIP
> http://tools.ietf.org/html/rfc6120
> http://tools.ietf.org/html/rfc6125


> - the xmpp.net page found by Google only refers to the StartCom CA:
> http://xmpp.org/resources/certificates/

The reference to StartCom is there because we used to run an
intermediate CA with StartCom as the root. We've since terminated that
experiment, but StartCom is still popular among XMPP server admins.

> - the wiki page found by Google appears to be concerned with the old
> standard:
> http://wiki.xmpp.org/web/XMPP_Server_Certificates
> - many of the CA web sites just refer to `subjectAltName' or SAN
> certificates - they don't advise what type of data (e.g. otherName or
> dNSName) they are willing to put in the cert

I've not had time to do any research about certification authorities, so
I'm not sure about the current state of the art among big CAs like
Thawte, Equifax, and GoDaddy. Sounds like a good topic for discussion
here. :)


Peter Saint-Andre

More information about the Operators mailing list