subdomains, was Re: [jdev] SASL EXTERNAL for s2s in jabberd14
Norman Rasmussen
norman at rasmussen.co.za
Mon Nov 7 10:20:11 CST 2005
mmm, strange.
I can't think of any good reason to have this except to be able to use
transports that do not have dns entries.
On 11/7/05, Tony Finch <dot at dotat.at> wrote:
> On Sat, 5 Nov 2005, Matthias Wimmer wrote:
> > Justin Karneges schrieb:
> >
> > > > - If the certificate is for "example.com", do you accept this
> > > > certificate to be used for "service.example.com" as well? Currently I
> > > > don't. But I am not sure if this is correct/intended by RFC3920.
> > >
> > > You shouldn't. And I don't think XMPP-Core says to do this either.
> > > However, given that the draft does mention subdomains in places, maybe we
> > > could use a clarification. I personally don't think the word 'subdomain'
> > > should exist in the entire draft, but it is there.
> >
> > I don't really like to allow subdomains either. But it might be handy if you
> > do not have to include all services offered by a server into the certificate
> > (so you need to get a new certificate whenever you add a service) or get
> > separate certificates for all services.
>
> The specification of subdomain handling in RFC 3920 seems to be completely
> broken. I asked about it recently on the mxppwg list and I haven't
> received any satisfactory replies. The difficulty of handling TLS
> authentication makes it worse...
>
> https://www.jabber.org/xmppwg/2005-October/002331.html
>
> Tony.
> --
> f.a.n.finch <dot at dotat.at> http://dotat.at/
> BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
> GOOD.
>
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list