Hello!
Maybe somebody can enlighten me.
RFC 3920 says in section 5.1.8:
[---- SNIP ----]
Certificates MUST be checked against the hostname as provided by
the initiating entity (e.g., a user), not the hostname as
resolved via the Domain Name System; e.g., if the user specifies
a hostname of "example.com" but a DNS SRV [SRV] lookup returned
"im.example.com", the certificate MUST be checked as
"example.com". If a JID for any kind of XMPP entity (e.g.,
client or server) is represented in a certificate, it MUST be
represented as a UTF8String within an otherName entity inside the
subjectAltName, using the [ASN.1] Object Identifier
"id-on-xmppAddr" specified in Section 5.1.1 of this document.
[---- SNAP ----]
As I read this if I have a domain foo.bar an the SRV record points to
im.example.com c2s and s2s has to verify the certificate against foo.bar
instead im.example.com.
I can't find out why XMPP should not handle it like SMTP. In case of s2s
the certificate is verified against the canonical name in the MX record
(for XMPP the _xmpp-server._tcp record is like the MX record for SMTP)
and the XMPP _xmpp-client._tcp record I see like autoconfig/autodiscover
for mail.
XMPP I have to create and install a certificate for every domain.
Making it IMHO only complicated and contra productive for enforcing a
full encrypted XMPP network.
On a mail server I can host thousands of domains with one certificate.
Why do I have to deal in XMPP in this case with thousands of
certificates?
For now I can't see any reason for this. Or have I overseen something
enabling me to host several domains with one certificate?
Andreas
