[Standards-JIG] wildcards in certs

Peter Saint-Andre stpeter at jabber.org
Wed Nov 22 03:33:04 UTC 2006

Justin Karneges wrote:
> On Tuesday 21 November 2006 2:55 pm, Peter Saint-Andre wrote:
>> Matthias Wimmer wrote:
>>> I'd prefer to use the dNSName OID to be used for such wildcarded
>>> addresses. In my optinion id-on-xmppAddr should be limited to only
>>> contain valid XMPP addresses, and a wildcarded domain is no valid XMPP
>>> address.
>>> Therefore I'd like to see wildcard support, but I am against using
>>> id-on-xmppAddr for this.
>> That makes sense. Someone told me recently that the dNSName could only
>> be used for HTTP domains but I don't see anything in the specs that
>> limits it. I need to check on that further.
> RFC 3920, section 14.2, would seem to suggest that this is already possible:
> "The certificate SHOULD then be checked against the expected identity of the 
> peer following the rules described in [HTTP‑TLS], except that a 
> subjectAltName extension of type "xmpp" MUST be used as the identity if 
> present."
> I read this as: if id-on-xmppAddr is present, then use it, otherwise validate 
> using HTTP-TLS rules.  In the latter case, this means dNSName, and 
> wildcarding.  It is nice to get stuff for free. :)
> I can only suggest making it more explicit that nodeless entities are not 
> required to use id-on-xmppAddr, and that dNSName can be used instead if 
> wildcarding is desired.

Hey, were we really that smart back in 2003? It seems so (I think I got
that text from someone else). I agree that we need to make it clearer,
and mention dNSNames.


Peter Saint-Andre
Jabber Software Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20061121/002a59ac/attachment.bin>

More information about the Standards mailing list