[Operators] No, not the hostname in CN. - Re: IM Observatory @ xmpp.net
Dave Cridland
dave at cridland.net
Mon Nov 4 13:47:21 UTC 2013
On Mon, Nov 4, 2013 at 1:09 PM, Kim Alvefur <zash at zash.se> wrote:
> On 2013-11-04 03:01, Peter Kieser wrote:
> > Shouldn't the SSL certificate CN match the hostname listed in the "IN
> > SRV" record, since that's the hostname a S2S connection will open to.
>
> No! The domain should match a subjectAltName. Ignore hostnames, ignore
> commonNames.
>
> Exceptions are either fallbacks that you should not strive for, or DNA /
> DNSSEC / DANE related things that are not widely implemented or deployed.
>
> See also:
>
> https://plus.google.com/+DaveCridland/posts/fAdAUa62rse
>
> http://prosody.im/doc/certificates#which_domain
Loosely, only check a trustworthy certificate for a trustworthy identity.
So if a certificate is not trustworthy, then ignore any assertions of
identity.
And the only identity you can consider trustworthy is the one you're
starting out with; or one you can securely traverse to - this latter being
the realms of DANE and POSH and so on.
Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131104/17d4f9fa/attachment.html>
More information about the Operators
mailing list