[Psi-Devel] wildcard certificate matching
Peter Saint-Andre
stpeter at stpeter.im
Tue Mar 4 10:35:19 PST 2008
Maciek Niedzielski wrote:
> Justin Karneges pisze:
>> On Tuesday 04 March 2008 6:28 am, Jesse Thompson wrote:
>>> Given the following wildcard certificate:
>>>
>>> Common name: domain.tld, *.domain.tld
>>> Domain name: *.domain.tld, domain.tld
>>> XMPP name: domain.tld
>>>
>>> Should the certificate match all of the following JID domains?
>>>
>>> domain.tld
>>> foo.domain.tld
>>> bar.domain.tld
>>>
>>> Psi doesn't allow sub.domain.tld. So my question is whether this is a
>>> bug with Psi, or if the certificate isn't being issued correctly (the
>>> XMPP ICA in this case.)
>> Hmm, it could be a Psi bug. Can you share the actual certificate?
>
> I think that if there is XMPP name, it must match (in Psi) - other
> fields are not checked. But I am not saying that this is the correct
> behavior. There was a talk about this on Standards last week.
Yes this needs to be cleared up in the specs. The current text does not
reflect the emerging consensus:
http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-04.html#tls-rep-server
We may end up discouraging use of id-on-xmppAddr for servers. As a
stopgap, the XMPP ICA policy could be adjusted to include the wildcard
in the id-on-xmppAddr OID.
Jesse's challenge is that he wants to use the same cert for many
different subdomains such foo.wisc.edu and bar.wisc.edu. That should be
fine with a wildcard cert of *.wisc.edu but if the id-on-xmppAddr has
"wisc.edu" then the current certificate checking rules will cause
problems. We need to fix that. But I think Psi is probably in line with
RFC 3920 on this point -- it's RFC 3920 that is misguided, and we need
to fix rfc3920bis to handle this usage. I'll try to get to that soon.
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.affinix.com/pipermail/psi-devel-affinix.com/attachments/20080304/b344871d/attachment-0001.bin
More information about the Psi-Devel
mailing list