[Standards] XMPP Certificate checking algorithm

Shumon Huque shuque at isc.upenn.edu
Mon Mar 24 18:14:33 UTC 2008


On Sun, Mar 23, 2008 at 10:58:58AM +0000, Alexey Melnikov wrote:
> >
> Have you compared this to recommendations in 
> draft-hodges-server-ident-check-00.txt? This draft has some extra 
> recommendation about internationalized domain names (IDN).

Thanks for the pointer. That looks reasonable to me. If it
gets published, 3920bis could reference that, and then add
supplementary text for the the additional application specific 
checks, eg. what subjectAltName fields specifically to check 
and how. I would be okay with either SRVName or URI as a means 
to solve the application specific identity problem.

> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks 
> in CNs (case c).

Hmm, personally I'm okay with this too (I've never been a fan
of wildcards certs anyway). Unfortunately, the most likely
case of seeing a wildcard today happens to be in the CN, so I
would anticipate others might object to it ..

--Shumon.



More information about the Standards mailing list