[Standards] XMPP Certificate checking algorithm

Peter Saint-Andre stpeter at stpeter.im
Mon Mar 24 18:18:25 UTC 2008


Shumon Huque wrote:
> On Sun, Mar 23, 2008 at 10:58:58AM +0000, Alexey Melnikov wrote:
>> Have you compared this to recommendations in 
>> draft-hodges-server-ident-check-00.txt? This draft has some extra 
>> recommendation about internationalized domain names (IDN).
> 
> Thanks for the pointer. That looks reasonable to me. If it
> gets published, 3920bis could reference that, and then add
> supplementary text for the the additional application specific 
> checks, eg. what subjectAltName fields specifically to check 
> and how. I would be okay with either SRVName or URI as a means 
> to solve the application specific identity problem.

As mentioned, I think SRVName is better for this.

>> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks 
>> in CNs (case c).
> 
> Hmm, personally I'm okay with this too (I've never been a fan
> of wildcards certs anyway). Unfortunately, the most likely
> case of seeing a wildcard today happens to be in the CN, so I
> would anticipate others might object to it ..

I think the appropriate place for wildcards is in the dnsName, not the CN.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080324/813bb886/attachment.bin>


More information about the Standards mailing list