[Operators] Obtaining XMPP-enabled certificate for server

Sam Whited sam at samwhited.com
Tue Jul 19 14:06:03 UTC 2016

On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson <simon at josefsson.org> wrote:
> I wonder if people really care about this usage any more -- it does not
> scale well (all domains have to be encoded in the same cert => big
> certs) and introduces an indirection which often leaves room for
> attackers

I don't understand what problem you're solving by doing this. As you
said, it's just going to make the certs bigger and overcomplicates
things. Using the common name works fine and, for better or for worse,
is just about the only thing supported by any of the cheap or free
cert providers these days.

Just because it's in the RFC doesn't necessarily make it a best
practice, and I think in this case you're just making more issues and
work for yourself for no benefit.


Sam Whited
pub 4096R/54083AE104EA7AD3

More information about the Operators mailing list