[Standards-JIG] wildcards in certs

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Tue Nov 21 23:37:24 UTC 2006


On Tuesday 21 November 2006 2:55 pm, Peter Saint-Andre wrote:
> Matthias Wimmer wrote:
> > I'd prefer to use the dNSName OID to be used for such wildcarded
> > addresses. In my optinion id-on-xmppAddr should be limited to only
> > contain valid XMPP addresses, and a wildcarded domain is no valid XMPP
> > address.
> >
> > Therefore I'd like to see wildcard support, but I am against using
> > id-on-xmppAddr for this.
>
> That makes sense. Someone told me recently that the dNSName could only
> be used for HTTP domains but I don't see anything in the specs that
> limits it. I need to check on that further.

RFC 3920, section 14.2, would seem to suggest that this is already possible:

"The certificate SHOULD then be checked against the expected identity of the 
peer following the rules described in [HTTP‑TLS], except that a 
subjectAltName extension of type "xmpp" MUST be used as the identity if 
present."

I read this as: if id-on-xmppAddr is present, then use it, otherwise validate 
using HTTP-TLS rules.  In the latter case, this means dNSName, and 
wildcarding.  It is nice to get stuff for free. :)

I can only suggest making it more explicit that nodeless entities are not 
required to use id-on-xmppAddr, and that dNSName can be used instead if 
wildcarding is desired.

-Justin



More information about the Standards mailing list