On 20 July 2016 at 10:15, Dave Cridland <d...@cridland.net> wrote: > > > On 20 July 2016 at 10:07, Simon Josefsson <si...@josefsson.org> wrote: > >> Sam Whited <s...@samwhited.com> writes: >> >> > On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson <si...@josefsson.org> >> wrote: >> >> I wonder if people really care about this usage any more -- it does not >> >> scale well (all domains have to be encoded in the same cert => big >> >> certs) and introduces an indirection which often leaves room for >> >> attackers >> > >> > I don't understand what problem you're solving by doing this. >> >> The "problem" is that my XMPP server is called 'chat.sjd.se' and should >> handle my JID 'si...@josefsson.org'. Without a cert that binds together >> both domains, there is no way to verify that 'chat.sjd.se' is authorized >> to serve XMPP for 'josefsson.org'. >> >> > I'm confused. You're saying that the only XMPP service domain here is > josefsson.org? In that case, the certificate only needs to contain the > name josefsson.org. The hostname of the server it runs on is a non-issue > here. > > With DNSSEC in play, there's other options - but those are poorly > supported. > > >> > As you said, it's just going to make the certs bigger and >> > overcomplicates things. Using the common name works fine and, for >> > better or for worse, is just about the only thing supported by any of >> > the cheap or free cert providers these days. >> >> Using the common name only works in simplified situations where the XMPP >> server sits in the domain of the JIDs it is serving, if I understand >> correctly. So I disagree that "using the common name works fine" as a >> generic statement. To illustrate my point, considering answering this: >> what common name would you use for my setup above? >> >> > josefsson.org alone should work OK. Obviously a dNSName SAN of the same > name is better (for values of better involving CN abuse being bad). > > >> > Just because it's in the RFC doesn't necessarily make it a best >> > practice, and I think in this case you're just making more issues and >> > work for yourself for no benefit. >> >> I share these concerns -- that's why I wonder if that part of the RFC is >> really something people care about these days. Given the lack of >> documentation around using SRV-ID's for XMPP certificates out there, it >> seems there is marginal interest in this aspect. >> > > I think we rely on RFC 6125 for this, which does cover things. It's > possible we should update XEP-0178, too. >
But looking at it, maybe we don't - it refers to using dNSName or sRVName rather than anything else, which seems to match actual practise (albeit it's all dNSName). > > >> >> /Simon >> > >