[jdev] virtual hosting and certificate checking

[Peter Saint-Andre]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

JD Conley wrote:
>> address. Naturally we'll need to clarify this in rfc3920bis, but my
>> question now is: how do existing clients and servers handle this?
> 
> We do this on the server side with a separate cert for each domain --
> even conference, users, and other sub-domains used in s2s. Some client
> software packages present a warning when certificates aren't correct
> (domain mismatch, etc) but many do not and just use the certificates for
> encryption, not authentication.

Let's say you are DreamHost, which has offered jabber services for years
now. You want to offer secure connections. But you host 50,000+ domains.
Are you going to have a separate certificate for each of those domains?
Or let's say you are Internet2 and you want to offer XMPP services for
all member universities, of which there are several hundred. Here again,
are you going to have a separate cert for each domain, or one cert with
all the possible virtual hosting domains as CNs and/or id-on-xmppAddr
subjectAltNames?

Just curious. :-)

Peter

- --
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEBe8ENF1RSzyt3NURAlEHAKCceSBkbwf0X7zX+M1LObinIMT0WACePogI
WSVsPnM7X8cy9b3nkEp5cpc=
=ELGp
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20060301/ae6f1dc2/attachment-0002.bin>