[Standards] TLS certificate fun
shuque at isc.upenn.edu
Tue May 13 19:12:53 UTC 2008
On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote:
> On Tue May 13 17:16:39 2008, Shumon Huque wrote:
> >I personally think we want to encourage the use of a generalized
> >name form rather than an XMPP specific one. It will be much
> >easier to get commercial CAs and other entities down the road
> >to issue certs with general purpose extensions.
> Kind of - I'd prefer that certificates intended to be used as
> authorization to act as a particular jid should use id-on-xmppAddr.
Of course, a potential application neutral option for this exists
as well: the uniformResourceIdentifier SAN fields populated with
jids in the xmpp URI scheme, eg. xmpp:stpeter at jabber.org.
> XMPP Peer/Server identification is a particular case of this, but can
> also be treated as a general form of SRV based lookup and
> authentication, so either is probably useful in this case. Note that
> servers using RFC 4985 would either require different certficates on
> C2S and S2S ports, or else use a certificate with at least two
> My (cynical) bet is that obtaining a single certificate with multiple
> SRVNames will be just as hard/expensive/annoying as it is to obtain a
> certificate with id-on-xmppAddr in - if for no other reason than the
> commercial CAs will spot a way of making more money by forcing you to
> get two certificates for the price of two,
You might be right about that. I wonder if commercial CAs charge more
for issuing certificates with multiple dNSNames?
> whereas the xmppAddr style
> is at least usable for all XMPP-related purposes, including C2S
> client authentication.
Again URI is an alternative option here ..
More information about the Standards