On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote: > On Tue May 13 17:16:39 2008, Shumon Huque wrote: > >I personally think we want to encourage the use of a generalized > >name form rather than an XMPP specific one. It will be much > >easier to get commercial CAs and other entities down the road > >to issue certs with general purpose extensions. > > Kind of - I'd prefer that certificates intended to be used as > authorization to act as a particular jid should use id-on-xmppAddr.
Of course, a potential application neutral option for this exists as well: the uniformResourceIdentifier SAN fields populated with jids in the xmpp URI scheme, eg. xmpp:[EMAIL PROTECTED] > XMPP Peer/Server identification is a particular case of this, but can > also be treated as a general form of SRV based lookup and > authentication, so either is probably useful in this case. Note that > servers using RFC 4985 would either require different certficates on > C2S and S2S ports, or else use a certificate with at least two > SRVNames. Right .. > My (cynical) bet is that obtaining a single certificate with multiple > SRVNames will be just as hard/expensive/annoying as it is to obtain a > certificate with id-on-xmppAddr in - if for no other reason than the > commercial CAs will spot a way of making more money by forcing you to > get two certificates for the price of two, You might be right about that. I wonder if commercial CAs charge more for issuing certificates with multiple dNSNames? > whereas the xmppAddr style > is at least usable for all XMPP-related purposes, including C2S > client authentication. Again URI is an alternative option here .. --Shumon.
