Let's give this one a different subject, then, eh?
On Tue May 13 20:12:53 2008, Shumon Huque wrote:
On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote:
> On Tue May 13 17:16:39 2008, Shumon Huque wrote:
> >I personally think we want to encourage the use of a generalized
> >name form rather than an XMPP specific one. It will be much
> >easier to get commercial CAs and other entities down the road
> >to issue certs with general purpose extensions.
>
> Kind of - I'd prefer that certificates intended to be used as
> authorization to act as a particular jid should use
id-on-xmppAddr.
Of course, a potential application neutral option for this exists
as well: the uniformResourceIdentifier SAN fields populated with
jids in the xmpp URI scheme, eg. xmpp:[EMAIL PROTECTED]
xmpp://[EMAIL PROTECTED] maybe. For this instance, I'm not sure.
Would xmpp:[EMAIL PROTECTED] provide authentication to talk to PSA?
:-)
I'm not convinced, because I don't know what it's intended to mean.
> My (cynical) bet is that obtaining a single certificate with
multiple
> SRVNames will be just as hard/expensive/annoying as it is to
obtain a
> certificate with id-on-xmppAddr in - if for no other reason than
the
> commercial CAs will spot a way of making more money by forcing
you to
> get two certificates for the price of two,
You might be right about that. I wonder if commercial CAs charge
more
for issuing certificates with multiple dNSNames?
I've no idea. It doesn't appear so, they just sign the CSR. But given
that the specifications (and entire point of PKI) mandate that they
check the Subject and every SAN, I think they'd probably be justified
in charging a bit more, to be fair.
> whereas the xmppAddr style
> is at least usable for all XMPP-related purposes, including C2S
> client authentication.
Again URI is an alternative option here ..
Yes, but historically, X.509 has simply had specific bits for each
usage, so ORNames for signing email, and similar identifiers to act
as P1 channels. Only DAP/LDAP have been immune from this, and really
because their concept of identity and identifiers is fundamental to
X.509 anyway, hence the DNs used for Subject and Issuer.
I've actually no idea what the URI General Name is for, but it
wouldn't surprise me if it has a very specific purpose that XMPP
authentication wouldn't fit. In lieu of wild guesses, though, I'll
ask the guy who sits next to me here, who's pretty knowledgeable on
X.509, and no doubt spawn an exciting office debate on the finer
details of the X.500 series.
(Yeah, we have to remind people here it's not X.MPP...)
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
