[Standards] XMPP Certificate checking algorithm
stpeter at stpeter.im
Mon Mar 24 18:18:25 UTC 2008
Shumon Huque wrote:
> On Sun, Mar 23, 2008 at 10:58:58AM +0000, Alexey Melnikov wrote:
>> Have you compared this to recommendations in
>> draft-hodges-server-ident-check-00.txt? This draft has some extra
>> recommendation about internationalized domain names (IDN).
> Thanks for the pointer. That looks reasonable to me. If it
> gets published, 3920bis could reference that, and then add
> supplementary text for the the additional application specific
> checks, eg. what subjectAltName fields specifically to check
> and how. I would be okay with either SRVName or URI as a means
> to solve the application specific identity problem.
As mentioned, I think SRVName is better for this.
>> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks
>> in CNs (case c).
> Hmm, personally I'm okay with this too (I've never been a fan
> of wildcards certs anyway). Unfortunately, the most likely
> case of seeing a wildcard today happens to be in the CN, so I
> would anticipate others might object to it ..
I think the appropriate place for wildcards is in the dnsName, not the CN.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards