[Standards] XMPP Certificate checking algorithm

Peter Saint-Andre stpeter at stpeter.im
Mon Mar 24 18:04:44 UTC 2008


Alexey Melnikov wrote:
> Hi Shumon,
> 
> Shumon Huque wrote:
> 
>> Any comments on the following server certificate checking algorithm?
>>
>> 1. (If implementation understands RFC4985) look for RFC4985 style  
>> service identity in an otherName field (of type OID id-on-dnsSRV).  
>> The expected identity should be:
>>
>>     _xmpp-client.DOMAIN for client-server connections
>>     _xmpp-server.DOMAIN for server-server connections
>>
>>   where DOMAIN is the JID domain.
>>
>> 2. Look for expected server identity (either JID domain or  
>> explicitly configured server hostname) in:
>>
>>     a. subjectAltName otherName field of type id-on-xmppAddr
>>     b. subjectAltName dNSName field
>>     c. subject DN's Common Name field
>>
>>   Wildcard name matches could be allowed in (b) and (c).
>>
> Have you compared this to recommendations in
> draft-hodges-server-ident-check-00.txt? This draft has some extra
> recommendation about internationalized domain names (IDN).
> 
> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks
> in CNs (case c).

So I see. That seems like a helpful document. Is it being discussed on
the TLS list?

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080324/089440fc/attachment.bin>


More information about the Standards mailing list