[Standards] X.509 attributes

Dave Cridland dave at cridland.net
Tue May 13 20:44:51 UTC 2008

Let's give this one a different subject, then, eh?

On Tue May 13 20:12:53 2008, Shumon Huque wrote:
> On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote:
> > On Tue May 13 17:16:39 2008, Shumon Huque wrote:
> > >I personally think we want to encourage the use of a generalized
> > >name form rather than an XMPP specific one. It will be much
> > >easier to get commercial CAs and other entities down the road
> > >to issue certs with general purpose extensions.
> >
> > Kind of - I'd prefer that certificates intended to be used as
> > authorization to act as a particular jid should use  
> id-on-xmppAddr.
> Of course, a potential application neutral option for this exists
> as well: the uniformResourceIdentifier SAN fields populated with
> jids in the xmpp URI scheme, eg. xmpp:stpeter at jabber.org.
xmpp://stpeter@jabber.org maybe. For this instance, I'm not sure.  
Would xmpp:stpeter at jabber.org provide authentication to talk to PSA?  

I'm not convinced, because I don't know what it's intended to mean.

> > My (cynical) bet is that obtaining a single certificate with  
> multiple
> > SRVNames will be just as hard/expensive/annoying as it is to  
> obtain a
> > certificate with id-on-xmppAddr in - if for no other reason than  
> the
> > commercial CAs will spot a way of making more money by forcing  
> you to
> > get two certificates for the price of two,
> You might be right about that. I wonder if commercial CAs charge  
> more
> for issuing certificates with multiple dNSNames?
I've no idea. It doesn't appear so, they just sign the CSR. But given  
that the specifications (and entire point of PKI) mandate that they  
check the Subject and every SAN, I think they'd probably be justified  
in charging a bit more, to be fair.

> > whereas the xmppAddr style
> > is at least usable for all XMPP-related purposes, including C2S
> > client authentication.
> Again URI is an alternative option here ..

Yes, but historically, X.509 has simply had specific bits for each  
usage, so ORNames for signing email, and similar identifiers to act  
as P1 channels. Only DAP/LDAP have been immune from this, and really  
because their concept of identity and identifiers is fundamental to  
X.509 anyway, hence the DNs used for Subject and Issuer.

I've actually no idea what the URI General Name is for, but it  
wouldn't surprise me if it has a very specific purpose that XMPP  
authentication wouldn't fit. In lieu of wild guesses, though, I'll  
ask the guy who sits next to me here, who's pretty knowledgeable on  
X.509, and no doubt spawn an exciting office debate on the finer  
details of the X.500 series.

(Yeah, we have to remind people here it's not X.MPP...)

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Standards mailing list