[Operators] Obtaining XMPP-enabled certificate for server

Dave Cridland dave at cridland.net
Wed Jul 20 09:53:59 UTC 2016


On 20 July 2016 at 10:15, Dave Cridland <dave at cridland.net> wrote:

>
>
> On 20 July 2016 at 10:07, Simon Josefsson <simon at josefsson.org> wrote:
>
>> Sam Whited <sam at samwhited.com> writes:
>>
>> > On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson <simon at josefsson.org>
>> wrote:
>> >> I wonder if people really care about this usage any more -- it does not
>> >> scale well (all domains have to be encoded in the same cert => big
>> >> certs) and introduces an indirection which often leaves room for
>> >> attackers
>> >
>> > I don't understand what problem you're solving by doing this.
>>
>> The "problem" is that my XMPP server is called 'chat.sjd.se' and should
>> handle my JID 'simon at josefsson.org'.  Without a cert that binds together
>> both domains, there is no way to verify that 'chat.sjd.se' is authorized
>> to serve XMPP for 'josefsson.org'.
>>
>>
> I'm confused. You're saying that the only XMPP service domain here is
> josefsson.org? In that case, the certificate only needs to contain the
> name josefsson.org. The hostname of the server it runs on is a non-issue
> here.
>
> With DNSSEC in play, there's other options - but those are poorly
> supported.
>
>
>> > As you said, it's just going to make the certs bigger and
>> > overcomplicates things. Using the common name works fine and, for
>> > better or for worse, is just about the only thing supported by any of
>> > the cheap or free cert providers these days.
>>
>> Using the common name only works in simplified situations where the XMPP
>> server sits in the domain of the JIDs it is serving, if I understand
>> correctly.  So I disagree that "using the common name works fine" as a
>> generic statement.  To illustrate my point, considering answering this:
>> what common name would you use for my setup above?
>>
>>
> josefsson.org alone should work OK. Obviously a dNSName SAN of the same
> name is better (for values of better involving CN abuse being bad).
>
>
>> > Just because it's in the RFC doesn't necessarily make it a best
>> > practice, and I think in this case you're just making more issues and
>> > work for yourself for no benefit.
>>
>> I share these concerns -- that's why I wonder if that part of the RFC is
>> really something people care about these days.  Given the lack of
>> documentation around using SRV-ID's for XMPP certificates out there, it
>> seems there is marginal interest in this aspect.
>>
>
> I think we rely on RFC 6125 for this, which does cover things. It's
> possible we should update XEP-0178, too.
>

But looking at it, maybe we don't - it refers to using dNSName or sRVName
rather than anything else, which seems to match actual practise (albeit
it's all dNSName).


>
>
>>
>> /Simon
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160720/87545e96/attachment-0001.html>


More information about the Operators mailing list