On Tuesday 07 March 2006 12:05, Peter Saint-Andre wrote: > > Canditates for storing the JID are: userID id-on-xmppAddr > > RFC 3920 is clear on this. I would say that userID is not a candidate > (although RFC 3920 does not prohibit that, since it says only that the > JID MUST be stored as an otherName in the subjectAltName, IMHO it is not > a good idea to store the same information in two places).
Currently, everyone puts the domain of a server in the commonName. And this is also consistent with RFC 3920's recommendation of using the HTTP methods to verify if a certificate in a c2s/s2s connection is valid. Thus, it should be quite acceptable to put the value in three fields: commonName, dNSName, and xmppAddr otherName. We should probably not put nodes into the commonName and dNSName fields. These fields should only be used if your JID is domain-only. However, it is not clear if this is forbidden (maybe something to note in 3920bis?). As I think about this some more, it seems to me that in a Jabberized world, the only field we'd care about is xmppAddr. dNSName and commonName are really only there for compatibility with existing CAs and restrictive TLS implementations. As I think about this even /more/, I wonder if we should allow fallback of JIDs with nodes into the rfc822Name field. This may help with similarly-restrictive S/MIME implementations, as well as CAs. I agree that putting the same information in two places is not a great idea, but there seems to be a standard practice of already doing it with domains, so I think it is worth considering for jid->email. > > Any other ideas? BTW: What means "id-on-" in id-on-xmppAddr? Why nt > > just "xmppAddr"? > > It's ASN.1 madness, don't ask. And just shorthand for documentation purposes. The string is basically like a namespace, and the prefix helps give an idea of what it is for, which I think is Identity-OtherName (just a guess). This namespace string doesn't appear in the Certificate anywhere, only the OID does, so there's no reason to get too hung up about it. -Justin
