[jdev] wildcards vs. multiple certs
Peter Saint-Andre
stpeter at stpeter.im
Wed Aug 26 15:31:13 CDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Recently I have been working with StartCom regarding the XMPP ICA, and
an issue has arisen regarding the representation of multiple domain
names (e.g., the bare domain and various subdomains) in certificates.
Traditionally we have allowed wildcards in the Class 1 certificates
issued by the ICA. However, more and more attacks have been observed in
the HTTP world with wildcard certs (cf. the recent Black Hat
conference). Although such attacks have not yet been observed in the
XMPP world, it is likely that we will end the practice of issuing Class
1 wildcard certificates (however they might be issued for Class 2 certs,
which require stronger validation of the requesting entity).
As a result, it is possible that admins might feel the need to request
multiple Class 1 certs in order to deploy an XMPP service (if they are
not able to obtain a Class 2 certificate). For example, at the
jabber.org service we might use one Class 1 certificate for the domain
name "jabber.org" and another Class 1 certificate for the domain name
"conference.jabber.org". This would require our XMPP server software to
present the "jabber.org" certificate when a peer server attempts to open
an s2s connection to the jabber.org domain, whereas it would present the
"conference.jabber.org" certificate when someone from a peer server
attempts to join a chatroom at the conference.jabber.org MUC service. I
do not know of any XMPP server software that can present two (or more)
different certs for s2s connections depending on the domain name
specified by the peer server.
How would current servers handle this? Do we really need to worry about
this problem, or shall we just tell administrators of XMPP services that
host multiple domain names to obtain Class 2 certificates (at least from
the XMPP ICA)? Clearly DNA [1] would help here but it's not close to done.
Peter
[1] http://xmpp.org/extensions/inbox/dna.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqVm5AACgkQNL8k5A2w/vzv4ACgkqExyJvmSgwxwYd/iRwoAMiB
Lg0An07wjUNwHJXYG1TlS2w9jSsAET3L
=jok6
-----END PGP SIGNATURE-----
More information about the JDev
mailing list