On 05/13/2008 2:44 PM, Dave Cridland wrote: > Let's give this one a different subject, then, eh? > > On Tue May 13 20:12:53 2008, Shumon Huque wrote: >> On Tue, May 13, 2008 at 05:51:00PM +0100, Dave Cridland wrote: >> > On Tue May 13 17:16:39 2008, Shumon Huque wrote: >> > >I personally think we want to encourage the use of a generalized >> > >name form rather than an XMPP specific one. It will be much >> > >easier to get commercial CAs and other entities down the road >> > >to issue certs with general purpose extensions. >> > >> > Kind of - I'd prefer that certificates intended to be used as >> > authorization to act as a particular jid should use id-on-xmppAddr. >> >> Of course, a potential application neutral option for this exists >> as well: the uniformResourceIdentifier SAN fields populated with >> jids in the xmpp URI scheme, eg. xmpp:[EMAIL PROTECTED] >> >> > xmpp://[EMAIL PROTECTED] maybe. For this instance, I'm not sure. Would > xmpp:[EMAIL PROTECTED] provide authentication to talk to PSA? :-) > > I'm not convinced, because I don't know what it's intended to mean.
it = the URI? Back in the dark ages of discussion about XMPP URIs, our illustrious area director at the IETF suggested that we could specify an entity to authorize *as* by including that identity as the authority component. So if you want people to be able to log in as [EMAIL PROTECTED], the URI would be: xmpp://[EMAIL PROTECTED] If you want people to be able to log in as [EMAIL PROTECTED] and send a message to [EMAIL PROTECTED], the URI would be xmpp://[EMAIL PROTECTED]/[EMAIL PROTECTED] Yes this looks confusing. That's because it is. Basically just ignore the authority component, i.e., don't include it in XMPP URIs. :) >> > My (cynical) bet is that obtaining a single certificate with multiple >> > SRVNames will be just as hard/expensive/annoying as it is to obtain a >> > certificate with id-on-xmppAddr in - if for no other reason than the >> > commercial CAs will spot a way of making more money by forcing you to >> > get two certificates for the price of two, >> >> You might be right about that. I wonder if commercial CAs charge more >> for issuing certificates with multiple dNSNames? The XMPP ICA doesn't charge any money. :P > I've no idea. It doesn't appear so, they just sign the CSR. But given > that the specifications (and entire point of PKI) mandate that they > check the Subject and every SAN, I think they'd probably be justified in > charging a bit more, to be fair. > > >> > whereas the xmppAddr style >> > is at least usable for all XMPP-related purposes, including C2S >> > client authentication. >> >> Again URI is an alternative option here .. > > Yes, but historically, X.509 has simply had specific bits for each > usage, so ORNames for signing email, and similar identifiers to act as > P1 channels. Only DAP/LDAP have been immune from this, and really > because their concept of identity and identifiers is fundamental to > X.509 anyway, hence the DNs used for Subject and Issuer. > > I've actually no idea what the URI General Name is for, but it wouldn't > surprise me if it has a very specific purpose that XMPP authentication > wouldn't fit. In lieu of wild guesses, though, I'll ask the guy who sits > next to me here, who's pretty knowledgeable on X.509, and no doubt spawn > an exciting office debate on the finer details of the X.500 series. And the result was...? :) Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
