-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Recently I have been working with StartCom regarding the XMPP ICA, and an issue has arisen regarding the representation of multiple domain names (e.g., the bare domain and various subdomains) in certificates. Traditionally we have allowed wildcards in the Class 1 certificates issued by the ICA. However, more and more attacks have been observed in the HTTP world with wildcard certs (cf. the recent Black Hat conference). Although such attacks have not yet been observed in the XMPP world, it is likely that we will end the practice of issuing Class 1 wildcard certificates (however they might be issued for Class 2 certs, which require stronger validation of the requesting entity).
As a result, it is possible that admins might feel the need to request multiple Class 1 certs in order to deploy an XMPP service (if they are not able to obtain a Class 2 certificate). For example, at the jabber.org service we might use one Class 1 certificate for the domain name "jabber.org" and another Class 1 certificate for the domain name "conference.jabber.org". This would require our XMPP server software to present the "jabber.org" certificate when a peer server attempts to open an s2s connection to the jabber.org domain, whereas it would present the "conference.jabber.org" certificate when someone from a peer server attempts to join a chatroom at the conference.jabber.org MUC service. I do not know of any XMPP server software that can present two (or more) different certs for s2s connections depending on the domain name specified by the peer server. How would current servers handle this? Do we really need to worry about this problem, or shall we just tell administrators of XMPP services that host multiple domain names to obtain Class 2 certificates (at least from the XMPP ICA)? Clearly DNA [1] would help here but it's not close to done. Peter [1] http://xmpp.org/extensions/inbox/dna.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqVm5AACgkQNL8k5A2w/vzv4ACgkqExyJvmSgwxwYd/iRwoAMiB Lg0An07wjUNwHJXYG1TlS2w9jSsAET3L =jok6 -----END PGP SIGNATURE----- _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
