[Standards] [Fwd: [Operators] new cert format]

Peter Saint-Andre stpeter at stpeter.im
Tue Jul 15 19:53:42 UTC 2008


Perhaps of interest here, too.

-------- Original Message --------
Date: Tue, 15 Jul 2008 13:49:36 -0600
From: Peter Saint-Andre <stpeter at stpeter.im>
To: operators at xmpp.org
Subject: [Operators] new cert format

We seem to have consensus about adding id-on-dnsSRV (see RFC 4985) to
the certificate generation format in rfc3920bis. Details are in Section
15.2.1.1 of the spec:

http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-06.html#security-certificates-generation-server

Now I'm looking into adding that field to the certs issued by the XMPP
ICA <https://www.xmpp.net/>.

So a few questions and points of interest:

1. RFC 4985 doesn't say anything about wildcards so I assume those are
out (they're probably not even allowed by RFC 2782).

2. Do we include the id-on-dnsSRV field only if admins specify that they
have DNS SRV records? That seems overly complex. Just include it in case
they get their DNS act together.

3. The new cert format should be backward compatible because all we're
doing is adding the id-on-dnsSRV. New clients and servers will look for
it but old ones will just ignore it.

Does anyone have questions or concerns about this change? I plan to make
this a reality soon...

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080715/b517fee2/attachment.bin>


More information about the Standards mailing list