[Standards] XMPP Certificate checking algorithm

Shumon Huque shuque at isc.upenn.edu
Sat Feb 23 04:03:12 UTC 2008


Any comments on the following server certificate checking 
algorithm?

1. (If implementation understands RFC4985) look for RFC4985 style 
   service identity in an otherName field (of type OID id-on-dnsSRV). 
   The expected identity should be:

	_xmpp-client.DOMAIN for client-server connections
	_xmpp-server.DOMAIN for server-server connections

   where DOMAIN is the JID domain.

2. Look for expected server identity (either JID domain or 
   explicitly configured server hostname) in:

	a. subjectAltName otherName field of type id-on-xmppAddr
	b. subjectAltName dNSName field
	c. subject DN's Common Name field

   Wildcard name matches could be allowed in (b) and (c).

---

After seeing Peter's note about the approved sieve notify
mechanism, it just occurred to me that another approach to 
identify service names might be to use the xmpp uri scheme.
Has anyone considered this before?

In that case, you could just use the subjectAltName's existing 
uniformResourceIdentifier field to store JID strings prepended
with "xmpp:".

Are there any advantages to this approach? It seems to have all
the functionality of id-on-xmppAddr without needing a special
otherName type. It provides the ability to specify client identities
which RFC4985 does not, if client certificate based authentication
is used. On the other hand, RFC4985 is able to differentiate the
c2s and s2s identities, which may be important, and more naturally 
maps to their SRV records.

--Shumon.



More information about the Standards mailing list