[jdev] JID and X.509

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Tue Mar 7 15:15:11 CST 2006 

On Tuesday 07 March 2006 12:05, Peter Saint-Andre wrote:
> > Canditates for storing the JID are: userID id-on-xmppAddr
>
> RFC 3920 is clear on this. I would say that userID is not a candidate
> (although RFC 3920 does not prohibit that, since it says only that the
> JID MUST be stored as an otherName in the subjectAltName, IMHO it is not
> a good idea to store the same information in two places).

Currently, everyone puts the domain of a server in the commonName.  And this 
is also consistent with RFC 3920's recommendation of using the HTTP methods 
to verify if a certificate in a c2s/s2s connection is valid.  Thus, it should 
be quite acceptable to put the value in three fields: commonName, dNSName, 
and xmppAddr otherName.

We should probably not put nodes into the commonName and dNSName fields.  
These fields should only be used if your JID is domain-only.  However, it is 
not clear if this is forbidden (maybe something to note in 3920bis?).

As I think about this some more, it seems to me that in a Jabberized world, 
the only field we'd care about is xmppAddr.  dNSName and commonName are 
really only there for compatibility with existing CAs and restrictive TLS 
implementations.

As I think about this even /more/, I wonder if we should allow fallback of 
JIDs with nodes into the rfc822Name field.  This may help with 
similarly-restrictive S/MIME implementations, as well as CAs.  I agree that 
putting the same information in two places is not a great idea, but there 
seems to be a standard practice of already doing it with domains, so I think 
it is worth considering for jid->email.

> > Any other ideas? BTW: What means "id-on-" in id-on-xmppAddr? Why nt
> > just "xmppAddr"?
>
> It's ASN.1 madness, don't ask.

And just shorthand for documentation purposes.  The string is basically like a 
namespace, and the prefix helps give an idea of what it is for, which I think 
is Identity-OtherName (just a guess).  This namespace string doesn't appear 
in the Certificate anywhere, only the OID does, so there's no reason to get 
too hung up about it.

-Justin

More information about the JDev mailing list