[Operators] No, not the hostname in CN. - Re: IM Observatory @ xmpp.net

Dave Cridland dave at cridland.net
Mon Nov 4 13:47:21 UTC 2013


On Mon, Nov 4, 2013 at 1:09 PM, Kim Alvefur <zash at zash.se> wrote:

> On 2013-11-04 03:01, Peter Kieser wrote:
> > Shouldn't the SSL certificate CN match the hostname listed in the "IN
> > SRV" record, since that's the hostname a S2S connection will open to.
>
> No!  The domain should match a subjectAltName.  Ignore hostnames, ignore
> commonNames.
>
> Exceptions are either fallbacks that you should not strive for, or DNA /
> DNSSEC / DANE related things that are not widely implemented or deployed.
>
> See also:
>
> https://plus.google.com/+DaveCridland/posts/fAdAUa62rse
>
> http://prosody.im/doc/certificates#which_domain



Loosely, only check a trustworthy certificate for a trustworthy identity.

So if a certificate is not trustworthy, then ignore any assertions of
identity.

And the only identity you can consider trustworthy is the one you're
starting out with; or one you can securely traverse to - this latter being
the realms of DANE and POSH and so on.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131104/17d4f9fa/attachment.html>


More information about the Operators mailing list