On Thursday 15 September 2005 04:56 pm, Steven Peterson wrote: > > The forced host name is not relevant to TLS, just like the IP address > > that it resolves to. All that matters is the desired Jabber domain. > > Users have a bad enough time trying to determine whether or not something > > is secure, and adding further rules/exceptions would only make it worse. > > The rules can be hidden from the user. If a user forces a server, > then the client application can accept either the cert for the forced > server or for the user's domain.
This implies that the forced server is allowed to act as the Jabber domain, which it isn't. At the very least this extra trust would have to be optional. IMO, this is not worth bothering with, since we already have a better solution: XMPP OtherName. We need changes to clients to support either method, so we may as well do it the right way. -Justin
