[Standards] XMPP Certificate checking algorithm

Shumon Huque shuque at isc.upenn.edu
Sun Feb 17 22:23:58 UTC 2008


Peter Saint-Andre suggested that I move a discussion we've been
having on the Adium Developer's mailing list here, regarding XMPP's 
certificate validity checking algorithm.

Here is the original set of issues that I brought up:


And the current sensible consensus on what to check in the
certificate is:

  1. If client/server software explicitly specifies the server hostname
     to connect to, use that hostname in the certificate check.
  2. If not, use the domain identifier portion of the JID.

In a later message in the same thread, I brought up the additional
possibility of using RFC 4985 to perform certificate checks:


Does anyone have thoughts on these issues/suggestions?

Shumon Huque				3401 Walnut Street, Suite 221A,
Network Engineering			Philadelphia, PA 19104-6228, USA.
Information Systems & Computing		(215)898-2477, (215)898-9348 (Fax)
University of Pennsylvania / MAGPI.	E-mail: shuque -at- isc.upenn.edu

More information about the Standards mailing list