[Standards] XMPP Certificate checking algorithm

Peter Saint-Andre stpeter at stpeter.im
Tue Mar 25 13:34:56 UTC 2008


Shumon Huque wrote:
> On Mon, Mar 24, 2008 at 12:18:25PM -0600, Peter Saint-Andre wrote:
>> Shumon Huque wrote:
>>> On Sun, Mar 23, 2008 at 10:58:58AM +0000, Alexey Melnikov wrote:
>>>> Have you compared this to recommendations in 
>>>> draft-hodges-server-ident-check-00.txt? This draft has some extra 
>>>> recommendation about internationalized domain names (IDN).
>>> Thanks for the pointer. That looks reasonable to me. If it
>>> gets published, 3920bis could reference that, and then add
>>> supplementary text for the the additional application specific 
>>> checks, eg. what subjectAltName fields specifically to check 
>>> and how. I would be okay with either SRVName or URI as a means 
>>> to solve the application specific identity problem.
>> As mentioned, I think SRVName is better for this.
> 
> I'm good with that ..

OK.

>>>> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks 
>>>> in CNs (case c).
>>> Hmm, personally I'm okay with this too (I've never been a fan
>>> of wildcards certs anyway). Unfortunately, the most likely
>>> case of seeing a wildcard today happens to be in the CN, so I
>>> would anticipate others might object to it ..
>> I think the appropriate place for wildcards is in the dnsName, not the CN.
>>
>> Peter
> 
> Yeah, I certainly agree with that. And more generally, domain names
> of any kind should not be placed in CN. I was mainly thinking of
> compatibility with widely used practice. But perhaps the revised 
> spec is a good opportunity to explicitly denigrate bad practices!

I'll add some text about it in the next version of rfc3920bis (which I
need to push out soon, since the existing version expires on April 7).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080325/2297b7c1/attachment.bin>


More information about the Standards mailing list