[Standards-JIG] Re: wildcards in certs
stpeter at jabber.org
Tue Nov 28 16:41:07 UTC 2006
Matthias Wimmer wrote:
> Hi Justin!
> Justin Karneges schrieb:
>> The "at minimum" part confuses me. Does this mean an XMPP server with
>> wildcards would want to use both otherName and dNSName simultaneously?
> I think as well, that it is confusing. But dNSName is an otherName as well.
I removed that text after I posted to the list yesterday. Here's the
text I wrote in my working copy of rfc3920bis:
If a JID for an XMPP client (e.g., an end user
account) is represented in a certificate, it MUST be represented
as a UTF8String within an otherName entity inside the
subjectAltName, using the [ASN.1] Object Identifier "id-on-
xmppAddr" specified in Section 5.1.1 of this document. If a JID
for an XMPP server is represented in a certificate, it SHOULD be
represented as a UTF8String within an otherName entity inside
the subjectAltName, using the [ASN.1] Object Identifier "id-on-
xmppAddr" specified in Section 5.1.1 of this document; however,
the JID for an XMPP server MAY also or instead be represented as
a subjectAltName extension of type dNSName, where the dNSName
may contain the wildcard character '*', which applies only to
the left-most domain name component or component fragment and is
considered to match any single component or component fragment
(e.g., *.example.com matches foo.example.com but not
bar.foo.example.com, and im*.example.org matches im1.example.net
and im2.example.net but not chat.example.net).
>> I assume dNSName would be preferred over otherName, if it exists? If so, that
>> should probably be mentioned. Hmm, what is the purpose of having otherName
>> in that case, if dNSName takes precedence?
> I don't assume this. I'd tell that the union set of both extensions
> would be used, if both are present.
Well, the HTTP Over TLS spec (RFC 2818) specifies an order of checking,
and that seems like a good idea. So I was suggesting that you first
check the XMPP OID. If it's not there, look at the dNSName. If you want
to do wildcards, don't use the XMPP OID, just use the dNSName. If your
server is identified by an IP address rather than a domain name, use the
XMPP OID. In general I think this will lead server admins to use dNSName
and not the XMPP OID. I don't think that's evil. But for client certs
you'd definitely need to use the XMPP OID.
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards