[Standards] XMPP Certificate checking algorithm

Shumon Huque shuque at isc.upenn.edu
Tue Mar 25 13:29:39 UTC 2008


On Mon, Mar 24, 2008 at 12:18:25PM -0600, Peter Saint-Andre wrote:
> Shumon Huque wrote:
> > On Sun, Mar 23, 2008 at 10:58:58AM +0000, Alexey Melnikov wrote:
> >> Have you compared this to recommendations in 
> >> draft-hodges-server-ident-check-00.txt? This draft has some extra 
> >> recommendation about internationalized domain names (IDN).
> > 
> > Thanks for the pointer. That looks reasonable to me. If it
> > gets published, 3920bis could reference that, and then add
> > supplementary text for the the additional application specific 
> > checks, eg. what subjectAltName fields specifically to check 
> > and how. I would be okay with either SRVName or URI as a means 
> > to solve the application specific identity problem.
> 
> As mentioned, I think SRVName is better for this.

I'm good with that ..

> >> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks 
> >> in CNs (case c).
> > 
> > Hmm, personally I'm okay with this too (I've never been a fan
> > of wildcards certs anyway). Unfortunately, the most likely
> > case of seeing a wildcard today happens to be in the CN, so I
> > would anticipate others might object to it ..
> 
> I think the appropriate place for wildcards is in the dnsName, not the CN.
> 
> Peter

Yeah, I certainly agree with that. And more generally, domain names
of any kind should not be placed in CN. I was mainly thinking of
compatibility with widely used practice. But perhaps the revised 
spec is a good opportunity to explicitly denigrate bad practices!

--Shumon.



More information about the Standards mailing list