[Standards] XMPP Certificate checking algorithm

Alexey Melnikov alexey.melnikov at isode.com
Sun Mar 23 10:58:58 UTC 2008


Hi Shumon,

Shumon Huque wrote:

>Any comments on the following server certificate checking 
>algorithm?
>
>1. (If implementation understands RFC4985) look for RFC4985 style 
>   service identity in an otherName field (of type OID id-on-dnsSRV). 
>   The expected identity should be:
>
>	_xmpp-client.DOMAIN for client-server connections
>	_xmpp-server.DOMAIN for server-server connections
>
>   where DOMAIN is the JID domain.
>
>2. Look for expected server identity (either JID domain or 
>   explicitly configured server hostname) in:
>
>	a. subjectAltName otherName field of type id-on-xmppAddr
>	b. subjectAltName dNSName field
>	c. subject DN's Common Name field
>
>   Wildcard name matches could be allowed in (b) and (c).
>
Have you compared this to recommendations in 
draft-hodges-server-ident-check-00.txt? This draft has some extra 
recommendation about internationalized domain names (IDN).

Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks 
in CNs (case c).





More information about the Standards mailing list