There is a minor problem with that from the XMPP-s2s POV: it does not
(explicitly) cover the case where a server verifies the identity of a
peer server (see rfc3920bis 6.2.4 or the s2s section of XEP 0178 for
details).
AFAICS, the only difference is that the reference identifier is supplied
by the peer instead of being constructed as described in section 4.2.
Therefore, I'd propose adding the following note to the end of section 4.1:
Note: Some application protocols such as XMPP perform the procedure
described in this section when verifiying a server identity in a
certificate presented by a TLS client. By this, and in contrast to the
procedure described in the next subsection, the reference identifier is
supplied by the peer (TLS client). Except for this and the inverted
client-server role, the verification process remains unchanged.
cheers
philipp
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
