[jdev] wildcards vs. multiple certs
Peter Saint-Andre
stpeter at stpeter.im
Tue Sep 1 17:36:45 CDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8/26/09 11:14 PM, Philipp Hancke wrote:
> Peter Saint-Andre wrote:
> [...]
>> As a result, it is possible that admins might feel the need to request
>> multiple Class 1 certs in order to deploy an XMPP service (if they are
>> not able to obtain a Class 2 certificate). For example, at the
>> jabber.org service we might use one Class 1 certificate for the domain
>> name "jabber.org" and another Class 1 certificate for the domain name
>> "conference.jabber.org". This would require our XMPP server software to
>> present the "jabber.org" certificate when a peer server attempts to open
>> an s2s connection to the jabber.org domain, whereas it would present the
>> "conference.jabber.org" certificate when someone from a peer server
>> attempts to join a chatroom at the conference.jabber.org MUC service. I
>> do not know of any XMPP server software that can present two (or more)
>> different certs for s2s connections depending on the domain name
>> specified by the peer server.
>
> This is how Matthias implemented s2s TLS in jabberd.
Matthias is smart. :)
I just confirmed with my friends at StartCom that they don't even accept
fancy stuff in the admin-generated CSR (instead the domains are assigned
at the application level) to avoid NULL exploits and other tricks that
malicious admins tend to play. So at least from StartCom in the future
people will probably be getting multiple certs or (Class 2) wildcard certs.
Peter
- --
Peter Saint-Andre
https://stpeter.im/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqdof0ACgkQNL8k5A2w/vwUMACeIEyP+k55+gllctDRBVaaQXsW
bhUAoPJjZJYTb/nSbZhUTIpunv95lYtK
=LdRQ
-----END PGP SIGNATURE-----
More information about the JDev
mailing list