-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/26/09 11:14 PM, Philipp Hancke wrote: > Peter Saint-Andre wrote: > [...] >> As a result, it is possible that admins might feel the need to request >> multiple Class 1 certs in order to deploy an XMPP service (if they are >> not able to obtain a Class 2 certificate). For example, at the >> jabber.org service we might use one Class 1 certificate for the domain >> name "jabber.org" and another Class 1 certificate for the domain name >> "conference.jabber.org". This would require our XMPP server software to >> present the "jabber.org" certificate when a peer server attempts to open >> an s2s connection to the jabber.org domain, whereas it would present the >> "conference.jabber.org" certificate when someone from a peer server >> attempts to join a chatroom at the conference.jabber.org MUC service. I >> do not know of any XMPP server software that can present two (or more) >> different certs for s2s connections depending on the domain name >> specified by the peer server. > > This is how Matthias implemented s2s TLS in jabberd.
Matthias is smart. :) I just confirmed with my friends at StartCom that they don't even accept fancy stuff in the admin-generated CSR (instead the domains are assigned at the application level) to avoid NULL exploits and other tricks that malicious admins tend to play. So at least from StartCom in the future people will probably be getting multiple certs or (Class 2) wildcard certs. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqdof0ACgkQNL8k5A2w/vwUMACeIEyP+k55+gllctDRBVaaQXsW bhUAoPJjZJYTb/nSbZhUTIpunv95lYtK =LdRQ -----END PGP SIGNATURE----- _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
