subdomains, was Re: [jdev] SASL EXTERNAL for s2s in jabberd14
Tony Finch
dot at dotat.at
Mon Nov 7 07:25:45 CST 2005
On Sat, 5 Nov 2005, Matthias Wimmer wrote:
> Justin Karneges schrieb:
>
> > > - If the certificate is for "example.com", do you accept this
> > > certificate to be used for "service.example.com" as well? Currently I
> > > don't. But I am not sure if this is correct/intended by RFC3920.
> >
> > You shouldn't. And I don't think XMPP-Core says to do this either.
> > However, given that the draft does mention subdomains in places, maybe we
> > could use a clarification. I personally don't think the word 'subdomain'
> > should exist in the entire draft, but it is there.
>
> I don't really like to allow subdomains either. But it might be handy if you
> do not have to include all services offered by a server into the certificate
> (so you need to get a new certificate whenever you add a service) or get
> separate certificates for all services.
The specification of subdomain handling in RFC 3920 seems to be completely
broken. I asked about it recently on the mxppwg list and I haven't
received any satisfactory replies. The difficulty of handling TLS
authentication makes it worse...
https://www.jabber.org/xmppwg/2005-October/002331.html
Tony.
--
f.a.n.finch <dot at dotat.at> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.
More information about the JDev
mailing list