[Standards] TLS certificate fun

Shumon Huque shuque at isc.upenn.edu
Tue May 13 16:16:39 UTC 2008


On Tue, May 13, 2008 at 01:50:14PM +0100, Dave Cridland wrote:
> 
> After carefully reading RFC 4985, I think we shouldn't be using  
> SRVName to identify a remote entity, due to the closing points of its  
> Section 2.

Hi Dave, 

I assume you're referring to the following:

--
   A present SRVName in a certificate MUST NOT be used to identify a
   host unless one of the following conditions applies:

   *  Use of this name form is specified by the security protocol being
      used and the identified service has a defined service name
      according to RFC 2782, or;
--

This just means that if XMPP wants to use SRVName then it
should explicitly say so in 3920bis. And that's exactly what
some of us are proposing.

I think the intent of the text is to exclude implicit use
of this SAN name form. Otherwise other application protocols
(that use RFC2782) that have their own preferred method of
subject identification would each have to explicitly put in 
text in their own specs to exclude the use of RFC4985.

I personally think we want to encourage the use of a generalized
name form rather than an XMPP specific one. It will be much 
easier to get commercial CAs and other entities down the road
to issue certs with general purpose extensions.

--Shumon.



More information about the Standards mailing list