Alexey Melnikov wrote: > Hi Shumon, > > Shumon Huque wrote: > >> Any comments on the following server certificate checking algorithm? >> >> 1. (If implementation understands RFC4985) look for RFC4985 style >> service identity in an otherName field (of type OID id-on-dnsSRV). >> The expected identity should be: >> >> _xmpp-client.DOMAIN for client-server connections >> _xmpp-server.DOMAIN for server-server connections >> >> where DOMAIN is the JID domain. >> >> 2. Look for expected server identity (either JID domain or >> explicitly configured server hostname) in: >> >> a. subjectAltName otherName field of type id-on-xmppAddr >> b. subjectAltName dNSName field >> c. subject DN's Common Name field >> >> Wildcard name matches could be allowed in (b) and (c). >> > Have you compared this to recommendations in > draft-hodges-server-ident-check-00.txt? This draft has some extra > recommendation about internationalized domain names (IDN). > > Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks > in CNs (case c).
So I see. That seems like a helpful document. Is it being discussed on the TLS list? Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
