[Operators] new cert format

Tue, 15 Jul 2008 12:50:24 -0700

We seem to have consensus about adding id-on-dnsSRV (see RFC 4985) to the certificate generation format in rfc3920bis. Details are in Section 15.2.1.1 of the spec: 

http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-06.html#security-certificates-generation-server
Now I'm looking into adding that field to the certs issued by the XMPP ICA <https://www.xmpp.net/>. 

So a few questions and points of interest:
1. RFC 4985 doesn't say anything about wildcards so I assume those are out (they're probably not even allowed by RFC 2782).
2. Do we include the id-on-dnsSRV field only if admins specify that they have DNS SRV records? That seems overly complex. Just include it in case they get their DNS act together.
3. The new cert format should be backward compatible because all we're doing is adding the id-on-dnsSRV. New clients and servers will look for it but old ones will just ignore it.
Does anyone have questions or concerns about this change? I plan to make this a reality soon... 

/psa

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to