[jdev] s2s lookup cascades

[Benjamin Podszun]

Jefferson Ogata wrote:
> I do have a concern about the RFC, in the details of cn matching
> performed when SRV records are involved. While clearly you do the right
> thing in ignoring the hostname returned in an SRV record for purposes of
> cn matching, the defined approach imposes a problematic constraint on
> servers: if I want to offer a certificate for users @example.com, I must
> use a certificate for "example.com". Because the cn of this certificate
> is the domain root, if stolen it could be used to spoof other services
> for the domain root itself. Meanwhile, since jabber servers are a new
> breed, there remains a great deal of unaudited server code. The prospect
> of having a certificate for my domain root running in an unaudited piece
> of server software exposed to the world is one I do not relish.

I have two issues with this paragraph: The first/obvious one is probably
nitpicking anyway, but I'd really like to hear what you call "new
breed". http://www.xmpp.org/history.html claims, that jabberd was 1.0 in
2000, which is not that new to me. But as I said, this might be nitpicking.
A completely different question comes to my mind when you talk about the
certificate: Even if your certificate for the CN example.com would be
stolen, what exactly is your connection to other services here? Each
service could imo use a different certificate - if you want that. And
all your clients should notice a change of a certificate anyway?

Pondering,
Ben