[Standards] TLS certificate fun

Shumon Huque shuque at isc.upenn.edu
Tue May 13 19:12:53 UTC 2008


On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote:
> On Tue May 13 17:16:39 2008, Shumon Huque wrote:
> >I personally think we want to encourage the use of a generalized
> >name form rather than an XMPP specific one. It will be much
> >easier to get commercial CAs and other entities down the road
> >to issue certs with general purpose extensions.
> 
> Kind of - I'd prefer that certificates intended to be used as  
> authorization to act as a particular jid should use id-on-xmppAddr.

Of course, a potential application neutral option for this exists 
as well: the uniformResourceIdentifier SAN fields populated with 
jids in the xmpp URI scheme, eg. xmpp:stpeter at jabber.org.

> XMPP Peer/Server identification is a particular case of this, but can  
> also be treated as a general form of SRV based lookup and  
> authentication, so either is probably useful in this case.  Note that  
> servers using RFC 4985 would either require different certficates on  
> C2S and S2S ports, or else use a certificate with at least two  
> SRVNames.

Right ..

> My (cynical) bet is that obtaining a single certificate with multiple  
> SRVNames will be just as hard/expensive/annoying as it is to obtain a  
> certificate with id-on-xmppAddr in - if for no other reason than the  
> commercial CAs will spot a way of making more money by forcing you to  
> get two certificates for the price of two,

You might be right about that. I wonder if commercial CAs charge more 
for issuing certificates with multiple dNSNames?

> whereas the xmppAddr style  
> is at least usable for all XMPP-related purposes, including C2S  
> client authentication.

Again URI is an alternative option here ..

--Shumon.



More information about the Standards mailing list