On Sat, 5 Nov 2005, Matthias Wimmer wrote: > Justin Karneges schrieb: > > > > - If the certificate is for "example.com", do you accept this > > > certificate to be used for "service.example.com" as well? Currently I > > > don't. But I am not sure if this is correct/intended by RFC3920. > > > > You shouldn't. And I don't think XMPP-Core says to do this either. > > However, given that the draft does mention subdomains in places, maybe we > > could use a clarification. I personally don't think the word 'subdomain' > > should exist in the entire draft, but it is there. > > I don't really like to allow subdomains either. But it might be handy if you > do not have to include all services offered by a server into the certificate > (so you need to get a new certificate whenever you add a service) or get > separate certificates for all services.
The specification of subdomain handling in RFC 3920 seems to be completely broken. I asked about it recently on the mxppwg list and I haven't received any satisfactory replies. The difficulty of handling TLS authentication makes it worse... http://mail.jabber.org/pipermail/xmppwg/2005-October/002331.html Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.
