[Standards] [Fwd: [Operators] new cert format]
stpeter at stpeter.im
Tue Jul 15 19:53:42 UTC 2008
Perhaps of interest here, too.
-------- Original Message --------
Date: Tue, 15 Jul 2008 13:49:36 -0600
From: Peter Saint-Andre <stpeter at stpeter.im>
To: operators at xmpp.org
Subject: [Operators] new cert format
We seem to have consensus about adding id-on-dnsSRV (see RFC 4985) to
the certificate generation format in rfc3920bis. Details are in Section
126.96.36.199 of the spec:
Now I'm looking into adding that field to the certs issued by the XMPP
So a few questions and points of interest:
1. RFC 4985 doesn't say anything about wildcards so I assume those are
out (they're probably not even allowed by RFC 2782).
2. Do we include the id-on-dnsSRV field only if admins specify that they
have DNS SRV records? That seems overly complex. Just include it in case
they get their DNS act together.
3. The new cert format should be backward compatible because all we're
doing is adding the id-on-dnsSRV. New clients and servers will look for
it but old ones will just ignore it.
Does anyone have questions or concerns about this change? I plan to make
this a reality soon...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards