[Standards] Proposed XMPP Extension: Remote Authentication

Dave Cridland dave at cridland.net
Thu Dec 2 17:21:10 UTC 2010


On Thu Dec  2 17:16:06 2010, Kim Alvefur wrote:
> On Thu, 2010-12-02 at 17:06 +0000, Dave Cridland wrote:
> > (FWIW, I wondered for some time about clients generating a CSR and
> > having servers actually be PKIX CAs, but that equally gains  
> nothing,
> > except adding lots more exciting-looking X.509).
> >
> > Of course, if the certificate is signed by a trusted party (ie, a
> > real CA), then everything changes - the server cannot advertise a
> > false certificate any longer, so the situation is entirely  
> different.
> 
> This is where it would have been useful for the PKIX CA structure  
> to be
> more like DNS, so you could sign certs for your own users and  
> subdomains
> etc.

Of course, you could do that with DNSSEC and CERT records.

Or you could do it with a mad CA which authenticated you as the owner  
of a domain, and then granted you an ICA certificate with name  
constraints for the domain.

Quite excitingly mad, actually - I'm almost tempted.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list