[Standards] XMPP Certificate checking algorithm
alexey.melnikov at isode.com
Sun Mar 23 10:58:58 UTC 2008
Shumon Huque wrote:
>Any comments on the following server certificate checking
>1. (If implementation understands RFC4985) look for RFC4985 style
> service identity in an otherName field (of type OID id-on-dnsSRV).
> The expected identity should be:
> _xmpp-client.DOMAIN for client-server connections
> _xmpp-server.DOMAIN for server-server connections
> where DOMAIN is the JID domain.
>2. Look for expected server identity (either JID domain or
> explicitly configured server hostname) in:
> a. subjectAltName otherName field of type id-on-xmppAddr
> b. subjectAltName dNSName field
> c. subject DN's Common Name field
> Wildcard name matches could be allowed in (b) and (c).
Have you compared this to recommendations in
draft-hodges-server-ident-check-00.txt? This draft has some extra
recommendation about internationalized domain names (IDN).
Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks
in CNs (case c).
More information about the Standards