[Standards] X.509 attributes
stpeter at stpeter.im
Thu May 22 20:56:48 UTC 2008
On 05/13/2008 2:44 PM, Dave Cridland wrote:
> Let's give this one a different subject, then, eh?
> On Tue May 13 20:12:53 2008, Shumon Huque wrote:
>> On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote:
>> > On Tue May 13 17:16:39 2008, Shumon Huque wrote:
>> > >I personally think we want to encourage the use of a generalized
>> > >name form rather than an XMPP specific one. It will be much
>> > >easier to get commercial CAs and other entities down the road
>> > >to issue certs with general purpose extensions.
>> > Kind of - I'd prefer that certificates intended to be used as
>> > authorization to act as a particular jid should use id-on-xmppAddr.
>> Of course, a potential application neutral option for this exists
>> as well: the uniformResourceIdentifier SAN fields populated with
>> jids in the xmpp URI scheme, eg. xmpp:stpeter at jabber.org.
> xmpp://email@example.com maybe. For this instance, I'm not sure. Would
> xmpp:stpeter at jabber.org provide authentication to talk to PSA? :-)
> I'm not convinced, because I don't know what it's intended to mean.
it = the URI?
Back in the dark ages of discussion about XMPP URIs, our illustrious
area director at the IETF suggested that we could specify an entity to
authorize *as* by including that identity as the authority component.
So if you want people to be able to log in as guest at example.com, the URI
If you want people to be able to log in as guest at example.com and send a
message to support at example.com, the URI would be
Yes this looks confusing. That's because it is. Basically just ignore
the authority component, i.e., don't include it in XMPP URIs. :)
>> > My (cynical) bet is that obtaining a single certificate with multiple
>> > SRVNames will be just as hard/expensive/annoying as it is to obtain a
>> > certificate with id-on-xmppAddr in - if for no other reason than the
>> > commercial CAs will spot a way of making more money by forcing you to
>> > get two certificates for the price of two,
>> You might be right about that. I wonder if commercial CAs charge more
>> for issuing certificates with multiple dNSNames?
The XMPP ICA doesn't charge any money. :P
> I've no idea. It doesn't appear so, they just sign the CSR. But given
> that the specifications (and entire point of PKI) mandate that they
> check the Subject and every SAN, I think they'd probably be justified in
> charging a bit more, to be fair.
>> > whereas the xmppAddr style
>> > is at least usable for all XMPP-related purposes, including C2S
>> > client authentication.
>> Again URI is an alternative option here ..
> Yes, but historically, X.509 has simply had specific bits for each
> usage, so ORNames for signing email, and similar identifiers to act as
> P1 channels. Only DAP/LDAP have been immune from this, and really
> because their concept of identity and identifiers is fundamental to
> X.509 anyway, hence the DNs used for Subject and Issuer.
> I've actually no idea what the URI General Name is for, but it wouldn't
> surprise me if it has a very specific purpose that XMPP authentication
> wouldn't fit. In lieu of wild guesses, though, I'll ask the guy who sits
> next to me here, who's pretty knowledgeable on X.509, and no doubt spawn
> an exciting office debate on the finer details of the X.500 series.
And the result was...? :)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards