[Standards] TLS certificate fun

Dave Cridland dave at cridland.net
Tue May 13 16:51:00 UTC 2008


On Tue May 13 17:16:39 2008, Shumon Huque wrote:
> I personally think we want to encourage the use of a generalized
> name form rather than an XMPP specific one. It will be much
> easier to get commercial CAs and other entities down the road
> to issue certs with general purpose extensions.

Kind of - I'd prefer that certificates intended to be used as  
authorization to act as a particular jid should use id-on-xmppAddr.

XMPP Peer/Server identification is a particular case of this, but can  
also be treated as a general form of SRV based lookup and  
authentication, so either is probably useful in this case.  Note that  
servers using RFC 4985 would either require different certficates on  
C2S and S2S ports, or else use a certificate with at least two  
SRVNames.

My (cynical) bet is that obtaining a single certificate with multiple  
SRVNames will be just as hard/expensive/annoying as it is to obtain a  
certificate with id-on-xmppAddr in - if for no other reason than the  
commercial CAs will spot a way of making more money by forcing you to  
get two certificates for the price of two, whereas the xmppAddr style  
is at least usable for all XMPP-related purposes, including C2S  
client authentication.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list