[jdev] cert handling in xmpp server implementations
Jonathan Siegle
jsiegle at psu.edu
Thu May 25 07:47:03 CDT 2006
Tony Finch said the following on 5/25/06 8:08 AM:
> On Wed, 24 May 2006, Peter Saint-Andre wrote:
>> I am working with a certification authority on adding XMPP support to
>> the certificates they issue.
>
> Has anyone written a straightforward description of how to generate a
> proper XMPP cert with all of the id-on-xmppAddr stuff using OpenSSL?
>
> Given that our cert vendor is Thawte/Verisign, I suppose this is probably
> irrelevant to us and I should worry more about whether XMPP software has
> interoperable cn-based validation despite the fact that it isn't
> specified.
>
> Tony.
You can put whatever OIDs in the csr. The CA will determine if it will
honor what you have requested.
==
From the RFC
http://www.ietf.org/rfc/rfc3920.txt
If a JID for any kind of XMPP entity (e.g.,
client or server) is represented in a certificate, it MUST be
represented as a UTF8String within an otherName entity inside the
subjectAltName, using the [ASN.1] Object Identifier
"id-on-xmppAddr" specified in Section 5.1.1 of this document.
5.1.1. ASN.1 Object Identifier for XMPP Address
The [ASN.1] Object Identifier "id-on-xmppAddr" described above is
defined as follows:
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms
id-on-xmppAddr OBJECT IDENTIFIER ::= { id-on 5 }
XmppAddr ::= UTF8String
This Object Identifier MAY also be represented in the dotted display
format as "1.3.6.1.5.5.7.8.5".
===
Open up your openssl.cnf file and look for the new_oids section. They
have an example there too. Oh and look at the man page for req. It has
lots of examples of OIDs.
-Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3357 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20060525/3bbdc043/attachment-0002.bin>
More information about the JDev
mailing list