Hi! On 2014-05-19T10:35:39 CEST, Andreas Tauscher wrote: > As I read this if I have a domain foo.bar an the SRV record points to > im.example.com c2s and s2s has to verify the certificate against > foo.bar instead im.example.com.
If the name you are claiming is 'foo.bar', why would I check that you present a certificate with a completely different name? Unless you have DNSSEC, someone could inject a fake SRV (or MX in case of SMTP) record pointing to a domain they own and that they can present a valid certificate for. What then? If you do have DNSSEC, then it's fine to check the certificate against the delegated name, deployed support for that is probably fairly small. > I can't find out why XMPP should not handle it like SMTP. Because it's not handled in SMTP. > Why do I have to deal in XMPP in this case with thousands of > certificates? Like others said, known issue that is being worked on. For now, very few actually enforce valid certificates and instead falls back to dialback for verification. -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
