[Standards] Checking hostname in XMPP server when using TLS

Dave Cridland dave at cridland.net
Wed Nov 3 11:25:39 UTC 2010


On Tue Nov  2 22:11:18 2010, zhong ming wu wrote:
> TLS implementation of HTTP/SMTP/IMAP/POP do not work like XMPP in  
> this regard

As Simon said, they actually do.

In all cases, the user inputs a required authorization identifier,  
and the X.509 certificate presented by the server is checked to  
ensure it can be used to authorize that identifier.

In the XMPP case, the user enters the server's jid as part of the  
account name they're connecting to.

In the HTTP case, the user enters the server's domain as part of the  
URI they're connecting to.

This similarity is being made more explicit, and more uniform, by  
Peter Saint-Andre's work within the IETF  
(draft-saintandre-tls-server-id-check).

In the case of virtual hosting, things can and do get quite difficult  
to usefully provision, which is why technologies like "domain name  
assertions" are being looked at within the IETF, too.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list