[Standards] TLS certificate fun
shuque at isc.upenn.edu
Tue May 13 16:16:39 UTC 2008
On Tue, May 13, 2008 at 01:50:14PM +0100, Dave Cridland wrote:
> After carefully reading RFC 4985, I think we shouldn't be using
> SRVName to identify a remote entity, due to the closing points of its
> Section 2.
I assume you're referring to the following:
A present SRVName in a certificate MUST NOT be used to identify a
host unless one of the following conditions applies:
* Use of this name form is specified by the security protocol being
used and the identified service has a defined service name
according to RFC 2782, or;
This just means that if XMPP wants to use SRVName then it
should explicitly say so in 3920bis. And that's exactly what
some of us are proposing.
I think the intent of the text is to exclude implicit use
of this SAN name form. Otherwise other application protocols
(that use RFC2782) that have their own preferred method of
subject identification would each have to explicitly put in
text in their own specs to exclude the use of RFC4985.
I personally think we want to encourage the use of a generalized
name form rather than an XMPP specific one. It will be much
easier to get commercial CAs and other entities down the road
to issue certs with general purpose extensions.
More information about the Standards