[Standards] XMPP Certificate checking algorithm

Alexey Melnikov alexey.melnikov at isode.com
Mon Mar 24 21:50:38 UTC 2008


Peter Saint-Andre wrote:

>Shumon Huque wrote:
>  
>
 [...]

>>2. Look for expected server identity (either JID domain or 
>>   explicitly configured server hostname) in:
>>
>>	a. subjectAltName otherName field of type id-on-xmppAddr
>>    
>>
>
>But I think we deprecate this for servers, so at least it should go
>after your (b).
>  
>
This sounds reasonable.

>>	b. subjectAltName dNSName field
>>	c. subject DN's Common Name field
>>    
>>
>
>Do we really want to check the CN? It's been deprecated for years.
>
If you want to retain compatibility with other protocols like HTTP and 
SMTP, you should keep it.

As a side note, CN is the easiest thing to set with openssl tools.





More information about the Standards mailing list