Any comments on the following server certificate checking
algorithm?
1. (If implementation understands RFC4985) look for RFC4985 style
service identity in an otherName field (of type OID id-on-dnsSRV).
The expected identity should be:
_xmpp-client.DOMAIN for client-server connections
_xmpp-server.DOMAIN for server-server connections
where DOMAIN is the JID domain.
2. Look for expected server identity (either JID domain or
explicitly configured server hostname) in:
a. subjectAltName otherName field of type id-on-xmppAddr
b. subjectAltName dNSName field
c. subject DN's Common Name field
Wildcard name matches could be allowed in (b) and (c).
---
After seeing Peter's note about the approved sieve notify
mechanism, it just occurred to me that another approach to
identify service names might be to use the xmpp uri scheme.
Has anyone considered this before?
In that case, you could just use the subjectAltName's existing
uniformResourceIdentifier field to store JID strings prepended
with "xmpp:".
Are there any advantages to this approach? It seems to have all
the functionality of id-on-xmppAddr without needing a special
otherName type. It provides the ability to specify client identities
which RFC4985 does not, if client certificate based authentication
is used. On the other hand, RFC4985 is able to differentiate the
c2s and s2s identities, which may be important, and more naturally
maps to their SRV records.
--Shumon.
