[Operators] Obtaining XMPP-enabled certificate for server
dave at cridland.net
Wed Jul 20 09:53:59 UTC 2016
On 20 July 2016 at 10:15, Dave Cridland <dave at cridland.net> wrote:
> On 20 July 2016 at 10:07, Simon Josefsson <simon at josefsson.org> wrote:
>> Sam Whited <sam at samwhited.com> writes:
>> > On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson <simon at josefsson.org>
>> >> I wonder if people really care about this usage any more -- it does not
>> >> scale well (all domains have to be encoded in the same cert => big
>> >> certs) and introduces an indirection which often leaves room for
>> >> attackers
>> > I don't understand what problem you're solving by doing this.
>> The "problem" is that my XMPP server is called 'chat.sjd.se' and should
>> handle my JID 'simon at josefsson.org'. Without a cert that binds together
>> both domains, there is no way to verify that 'chat.sjd.se' is authorized
>> to serve XMPP for 'josefsson.org'.
> I'm confused. You're saying that the only XMPP service domain here is
> josefsson.org? In that case, the certificate only needs to contain the
> name josefsson.org. The hostname of the server it runs on is a non-issue
> With DNSSEC in play, there's other options - but those are poorly
>> > As you said, it's just going to make the certs bigger and
>> > overcomplicates things. Using the common name works fine and, for
>> > better or for worse, is just about the only thing supported by any of
>> > the cheap or free cert providers these days.
>> Using the common name only works in simplified situations where the XMPP
>> server sits in the domain of the JIDs it is serving, if I understand
>> correctly. So I disagree that "using the common name works fine" as a
>> generic statement. To illustrate my point, considering answering this:
>> what common name would you use for my setup above?
> josefsson.org alone should work OK. Obviously a dNSName SAN of the same
> name is better (for values of better involving CN abuse being bad).
>> > Just because it's in the RFC doesn't necessarily make it a best
>> > practice, and I think in this case you're just making more issues and
>> > work for yourself for no benefit.
>> I share these concerns -- that's why I wonder if that part of the RFC is
>> really something people care about these days. Given the lack of
>> documentation around using SRV-ID's for XMPP certificates out there, it
>> seems there is marginal interest in this aspect.
> I think we rely on RFC 6125 for this, which does cover things. It's
> possible we should update XEP-0178, too.
But looking at it, maybe we don't - it refers to using dNSName or sRVName
rather than anything else, which seems to match actual practise (albeit
it's all dNSName).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Operators