Jefferson Ogata wrote: > I do have a concern about the RFC, in the details of cn matching > performed when SRV records are involved. While clearly you do the right > thing in ignoring the hostname returned in an SRV record for purposes of > cn matching, the defined approach imposes a problematic constraint on > servers: if I want to offer a certificate for users @example.com, I must > use a certificate for "example.com". Because the cn of this certificate > is the domain root, if stolen it could be used to spoof other services > for the domain root itself. Meanwhile, since jabber servers are a new > breed, there remains a great deal of unaudited server code. The prospect > of having a certificate for my domain root running in an unaudited piece > of server software exposed to the world is one I do not relish.
I have two issues with this paragraph: The first/obvious one is probably nitpicking anyway, but I'd really like to hear what you call "new breed". http://www.xmpp.org/history.html claims, that jabberd was 1.0 in 2000, which is not that new to me. But as I said, this might be nitpicking. A completely different question comes to my mind when you talk about the certificate: Even if your certificate for the CN example.com would be stolen, what exactly is your connection to other services here? Each service could imo use a different certificate - if you want that. And all your clients should notice a change of a certificate anyway? Pondering, Ben
