On 20 July 2016 at 10:07, Simon Josefsson <si...@josefsson.org> wrote:
> Sam Whited <s...@samwhited.com> writes: > > > On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson <si...@josefsson.org> > wrote: > >> I wonder if people really care about this usage any more -- it does not > >> scale well (all domains have to be encoded in the same cert => big > >> certs) and introduces an indirection which often leaves room for > >> attackers > > > > I don't understand what problem you're solving by doing this. > > The "problem" is that my XMPP server is called 'chat.sjd.se' and should > handle my JID 'si...@josefsson.org'. Without a cert that binds together > both domains, there is no way to verify that 'chat.sjd.se' is authorized > to serve XMPP for 'josefsson.org'. > > I'm confused. You're saying that the only XMPP service domain here is josefsson.org? In that case, the certificate only needs to contain the name josefsson.org. The hostname of the server it runs on is a non-issue here. With DNSSEC in play, there's other options - but those are poorly supported. > > As you said, it's just going to make the certs bigger and > > overcomplicates things. Using the common name works fine and, for > > better or for worse, is just about the only thing supported by any of > > the cheap or free cert providers these days. > > Using the common name only works in simplified situations where the XMPP > server sits in the domain of the JIDs it is serving, if I understand > correctly. So I disagree that "using the common name works fine" as a > generic statement. To illustrate my point, considering answering this: > what common name would you use for my setup above? > > josefsson.org alone should work OK. Obviously a dNSName SAN of the same name is better (for values of better involving CN abuse being bad). > > Just because it's in the RFC doesn't necessarily make it a best > > practice, and I think in this case you're just making more issues and > > work for yourself for no benefit. > > I share these concerns -- that's why I wonder if that part of the RFC is > really something people care about these days. Given the lack of > documentation around using SRV-ID's for XMPP certificates out there, it > seems there is marginal interest in this aspect. > I think we rely on RFC 6125 for this, which does cover things. It's possible we should update XEP-0178, too. > > /Simon >
