43
edits
(Created page with "== Preface == Written by Dave Cridland, with review and comments by Matthew Miller. == The Knight's Tale == The brave Knight approached the Wizard with some caution, becaus...") |
m (→How you're meant to do it: lowercase two characters) |
||
Line 101: | Line 101: | ||
== How you're meant to do it == | == How you're meant to do it == | ||
When authenticating a certificate, you look for a SAN which matches the asserted identity. So if a remote site asserts it is the XMPP server for dave.cridland.net, you can look for a SAN which proves it - which could be a | When authenticating a certificate, you look for a SAN which matches the asserted identity. So if a remote site asserts it is the XMPP server for dave.cridland.net, you can look for a SAN which proves it - which could be a srvName of _xmpp-server.dave.cridland.net, or a uRIName of xmpp:dave.cridland.net, or a dNSName or dave.cridland.net or ... | ||
If there are no SANs of a suitable type (none, or only, say, a directoryName) then you drop to looking for a Common Name within the Subject. This is normally referred to as "The Common Name of the cert", which makes as much sense as "The letter of your name". | If there are no SANs of a suitable type (none, or only, say, a directoryName) then you drop to looking for a Common Name within the Subject. This is normally referred to as "The Common Name of the cert", which makes as much sense as "The letter of your name". | ||
Line 107: | Line 107: | ||
You're always dealing with the name typed by the user, or something you can securely derive from that. So if you start off which dwd@dave.cridland.net, then you can securely derive the domain dave.cridland.net from it. However, if there's DNSSEC involved, then you could use the hostname if the SRV record were securely signed. | You're always dealing with the name typed by the user, or something you can securely derive from that. So if you start off which dwd@dave.cridland.net, then you can securely derive the domain dave.cridland.net from it. However, if there's DNSSEC involved, then you could use the hostname if the SRV record were securely signed. | ||
Proving that the certificate is valid, though, means also checking the issuer chain of the certificate ends in a Certification | Proving that the certificate is valid, though, means also checking the issuer chain of the certificate ends in a Certification Authority which is itself one of your known trust anchors. Alternately - and when I wrote the above, this was still fairly vague - DNSSEC can provide indications of what certificates are valid, either by suggesting alternate trust anchors, or specifying the certificate itself. | ||
If someone builds a viable Quantum Computer, though, then all bets are off. | If someone builds a viable Quantum Computer, though, then all bets are off. |
edits