[Standards] X.509 attributes

Peter Saint-Andre stpeter at stpeter.im
Thu May 22 20:56:48 UTC 2008


On 05/13/2008 2:44 PM, Dave Cridland wrote:
> Let's give this one a different subject, then, eh?
> 
> On Tue May 13 20:12:53 2008, Shumon Huque wrote:
>> On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote:
>> > On Tue May 13 17:16:39 2008, Shumon Huque wrote:
>> > >I personally think we want to encourage the use of a generalized
>> > >name form rather than an XMPP specific one. It will be much
>> > >easier to get commercial CAs and other entities down the road
>> > >to issue certs with general purpose extensions.
>> >
>> > Kind of - I'd prefer that certificates intended to be used as
>> > authorization to act as a particular jid should use id-on-xmppAddr.
>>
>> Of course, a potential application neutral option for this exists
>> as well: the uniformResourceIdentifier SAN fields populated with
>> jids in the xmpp URI scheme, eg. xmpp:stpeter at jabber.org.
>>
>>
> xmpp://stpeter@jabber.org maybe. For this instance, I'm not sure. Would
> xmpp:stpeter at jabber.org provide authentication to talk to PSA? :-)
> 
> I'm not convinced, because I don't know what it's intended to mean.

it = the URI?

Back in the dark ages of discussion about XMPP URIs, our illustrious
area director at the IETF suggested that we could specify an entity to
authorize *as* by including that identity as the authority component.

So if you want people to be able to log in as guest at example.com, the URI
would be:

  xmpp://guest@example.com

If you want people to be able to log in as guest at example.com and send a
message to support at example.com, the URI would be

  xmpp://guest@example.com/support@example.com?message

Yes this looks confusing. That's because it is. Basically just ignore
the authority component, i.e., don't include it in XMPP URIs. :)

>> > My (cynical) bet is that obtaining a single certificate with multiple
>> > SRVNames will be just as hard/expensive/annoying as it is to obtain a
>> > certificate with id-on-xmppAddr in - if for no other reason than the
>> > commercial CAs will spot a way of making more money by forcing you to
>> > get two certificates for the price of two,
>>
>> You might be right about that. I wonder if commercial CAs charge more
>> for issuing certificates with multiple dNSNames?

The XMPP ICA doesn't charge any money. :P

> I've no idea. It doesn't appear so, they just sign the CSR. But given
> that the specifications (and entire point of PKI) mandate that they
> check the Subject and every SAN, I think they'd probably be justified in
> charging a bit more, to be fair.
> 
> 
>> > whereas the xmppAddr style
>> > is at least usable for all XMPP-related purposes, including C2S
>> > client authentication.
>>
>> Again URI is an alternative option here ..
> 
> Yes, but historically, X.509 has simply had specific bits for each
> usage, so ORNames for signing email, and similar identifiers to act as
> P1 channels. Only DAP/LDAP have been immune from this, and really
> because their concept of identity and identifiers is fundamental to
> X.509 anyway, hence the DNs used for Subject and Issuer.
> 
> I've actually no idea what the URI General Name is for, but it wouldn't
> surprise me if it has a very specific purpose that XMPP authentication
> wouldn't fit. In lieu of wild guesses, though, I'll ask the guy who sits
> next to me here, who's pretty knowledgeable on X.509, and no doubt spawn
> an exciting office debate on the finer details of the X.500 series.

And the result was...? :)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080522/efd76876/attachment.bin>


More information about the Standards mailing list