[Standards] Proposed XMPP Extension: Remote Authentication
dave at cridland.net
Thu Dec 2 17:21:10 UTC 2010
On Thu Dec 2 17:16:06 2010, Kim Alvefur wrote:
> On Thu, 2010-12-02 at 17:06 +0000, Dave Cridland wrote:
> > (FWIW, I wondered for some time about clients generating a CSR and
> > having servers actually be PKIX CAs, but that equally gains
> > except adding lots more exciting-looking X.509).
> > Of course, if the certificate is signed by a trusted party (ie, a
> > real CA), then everything changes - the server cannot advertise a
> > false certificate any longer, so the situation is entirely
> This is where it would have been useful for the PKIX CA structure
> to be
> more like DNS, so you could sign certs for your own users and
Of course, you could do that with DNSSEC and CERT records.
Or you could do it with a mad CA which authenticated you as the owner
of a domain, and then granted you an ICA certificate with name
constraints for the domain.
Quite excitingly mad, actually - I'm almost tempted.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards