[Standards-JIG] Re: wildcards in certs

Peter Saint-Andre stpeter at jabber.org
Tue Nov 28 16:41:07 UTC 2006


Matthias Wimmer wrote:
> Hi Justin!
> 
> Justin Karneges schrieb:
>> The "at minimum" part confuses me.  Does this mean an XMPP server with 
>> wildcards would want to use both otherName and dNSName simultaneously?
> 
> I think as well, that it is confusing. But dNSName is an otherName as well.

I removed that text after I posted to the list yesterday. Here's the
text I wrote in my working copy of rfc3920bis:

***

   If a JID for an XMPP client (e.g., an end user
   account) is represented in a certificate, it MUST be represented
   as a UTF8String within an otherName entity inside the
   subjectAltName, using the [ASN.1] Object Identifier "id-on-
   xmppAddr" specified in Section 5.1.1 of this document.  If a JID
   for an XMPP server is represented in a certificate, it SHOULD be
   represented as a UTF8String within an otherName entity inside
   the subjectAltName, using the [ASN.1] Object Identifier "id-on-
   xmppAddr" specified in Section 5.1.1 of this document; however,
   the JID for an XMPP server MAY also or instead be represented as
   a subjectAltName extension of type dNSName, where the dNSName
   may contain the wildcard character '*', which applies only to
   the left-most domain name component or component fragment and is
   considered to match any single component or component fragment
   (e.g., *.example.com matches foo.example.com but not
   bar.foo.example.com, and im*.example.org matches im1.example.net
   and im2.example.net but not chat.example.net).

***

>> I assume dNSName would be preferred over otherName, if it exists?  If so, that 
>> should probably be mentioned.  Hmm, what is the purpose of having otherName 
>> in that case, if dNSName takes precedence?
> 
> I don't assume this. I'd tell that the union set of both extensions
> would be used, if both are present.

Well, the HTTP Over TLS spec (RFC 2818) specifies an order of checking,
and that seems like a good idea. So I was suggesting that you first
check the XMPP OID. If it's not there, look at the dNSName. If you want
to do wildcards, don't use the XMPP OID, just use the dNSName. If your
server is identified by an IP address rather than a domain name, use the
XMPP OID. In general I think this will lead server admins to use dNSName
and not the XMPP OID. I don't think that's evil. But for client certs
you'd definitely need to use the XMPP OID.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20061128/4099689f/attachment.bin>


More information about the Standards mailing list