[Psi-Devel] wildcard certificate matching
Justin Karneges
justin-psi2 at affinix.com
Tue Mar 4 13:01:44 PST 2008
On Tuesday 04 March 2008 10:35 am, Peter Saint-Andre wrote:
> Maciek Niedzielski wrote:
> > Justin Karneges pisze:
> >> On Tuesday 04 March 2008 6:28 am, Jesse Thompson wrote:
> >>> Given the following wildcard certificate:
> >>>
> >>> Common name: domain.tld, *.domain.tld
> >>> Domain name: *.domain.tld, domain.tld
> >>> XMPP name: domain.tld
> >>>
> >>> Should the certificate match all of the following JID domains?
> >>>
> >>> domain.tld
> >>> foo.domain.tld
> >>> bar.domain.tld
> >>>
> >>> Psi doesn't allow sub.domain.tld. So my question is whether this is a
> >>> bug with Psi, or if the certificate isn't being issued correctly (the
> >>> XMPP ICA in this case.)
> >>
> >> Hmm, it could be a Psi bug. Can you share the actual certificate?
> >
> > I think that if there is XMPP name, it must match (in Psi) - other
> > fields are not checked. But I am not saying that this is the correct
> > behavior. There was a talk about this on Standards last week.
According to the source, Psi considers the cert valid if any fields match.
> Yes this needs to be cleared up in the specs.
RFC 3920, Section 14.2 says 'The certificate SHOULD then be checked against
the expected identity of the peer following the rules described in [RFC
2818], except that a subjectAltName extension of type "xmpp" MUST be used as
the identity if present.'
The wording is confusing. Does 'extension of type "xmpp" MUST be used as the
identity' mean that the other fields cannot be considered when doing server
validation? Is it "MUST be used instead of" ? Or is it "MUST be used in
addition to" ? Or does the text have no effect on server validation and
instead it is for deriving the identity of a client cert?
It seems like just about anything could be considered correct behavior here.
> the emerging consensus:
>
> http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-04.html#tls
>-rep-server
Regarding this new text, must we really go into details about "left-most
domain name component" ? Does this differ from RFC 2818 instructions? We
have generic 2818 validator code, and having to making a special one for XMPP
seems unnecessary. Let's just make a reference to an existing document.
-Justin
More information about the Psi-Devel
mailing list