[Standards] XMPP Certificate checking algorithm

Shumon Huque shuque at isc.upenn.edu
Mon Feb 18 04:32:11 UTC 2008


On Sun, Feb 17, 2008 at 09:15:43PM -0700, Peter Saint-Andre wrote:

> rfc3920bis says that if id-on-xmppAddr is included, you must use that as
> the identity:
> 
> http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-05.html#security-validation
> 
> How should the certificate be validated if it does not include a CN or
> dnsName and the validating application does not understand xmppAddr? And
> will a responsible CA even issue certificates without a CN? I know that
> the XMPP ICA / StartCom won't do that.

What string is in the XmppAddr field? Looks like the spec says a
"JID", so in theory the domain identifier portion of that JID
could be used. But yes, there's a backward compatibility problem
with clients that don't understand the extension.

If the CN or dnsName includes a name, then it may be possible to
steal the certificate and reuse it to impersonate other services
at that name, assuming client software for those services just
ignore XmppAddr because they don't understand it. That's a security
problem in my opinion.

I still think RFC 4985 provides a more elegant solution to this.
That will allow inclusion of the hostname of the machine actually
providing the service and an otherName specifying the service. And
I think avoids the backward compatibility issue.

--Shumon.



More information about the Standards mailing list