-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JD Conley wrote: >> address. Naturally we'll need to clarify this in rfc3920bis, but my >> question now is: how do existing clients and servers handle this? > > We do this on the server side with a separate cert for each domain -- > even conference, users, and other sub-domains used in s2s. Some client > software packages present a warning when certificates aren't correct > (domain mismatch, etc) but many do not and just use the certificates for > encryption, not authentication.
Let's say you are DreamHost, which has offered jabber services for years now. You want to offer secure connections. But you host 50,000+ domains. Are you going to have a separate certificate for each of those domains? Or let's say you are Internet2 and you want to offer XMPP services for all member universities, of which there are several hundred. Here again, are you going to have a separate cert for each domain, or one cert with all the possible virtual hosting domains as CNs and/or id-on-xmppAddr subjectAltNames? Just curious. :-) Peter - -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEBe8ENF1RSzyt3NURAlEHAKCceSBkbwf0X7zX+M1LObinIMT0WACePogI WSVsPnM7X8cy9b3nkEp5cpc= =ELGp -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME Cryptographic Signature