Written by Dave Cridland, with review and comments by Matthew Miller.
The Knight's Tale
The brave Knight approached the Wizard with some caution, because it was the first time he'd been in an analogy.
"Oh mighty Wizard of Os!" he cried, beseechingly.
"Yup?" said the Wizard.
The Knight raised an eyebrow.
"Approach, brave Knight?" tried the Wizard.
The Knight lowered the eyebrow, and nodded briefly, before speaking again.
"My quest is for a Fairy Of Destiny, and I seek your wisdom," he said.
The Wizard, now fully warmed up, waved an arm dramatically, saying, "A most noble quest. What advice may I give you?"
"Where shall I find a Fairy Of Destiny, and how shall I know it is she?"
The Knight paused, pensively.
"Or possibly he," he added.
The Wizard nodded, thoughtfully.
"It is a difficult task. You must traverse the Maze Of Ip."
"The Maze Of Ip? Is that not full of twisty turny passages?" the Knight asked, aghast.
"Yes," agreed the Wizard.
"And are they not all alike?"
"They would be, if it weren't for the fact that Activision might sue us," the Wizard mused.
"Then how shall I find my way?"
"You must ask the, erm, Sages Of Dns."
"How did you pronounce that again?" asked the Knight, caught off-balance.
"Dns," said the Wizard, more clearly.
"Right," said the Knight, thinking, "And these Sages of..."
He stopped for a moment, and then continued.
"These Sages are trustworthy guides through the Maze Of Ip?"
"Most of the time. Well. The Sages, they're not evil per-se," said the Wizard, "but the problem is that they're old, and can sometimes be confused by evil forces. Some of them, however, are the younger Sages Of Dnssec, too, and those ones are always trustworthy, as they carry the Wards Of Crypto."
"Oh," said the Knight, "so I may trust the directions from the Sages Of Dnssec, but not those of the Sages Of Dns?"
"So how do I know if I have truly found a Fairy Of Destiny?" asked the Knight.
"Well, every Fairy has a Magic Certificate, granted to it by one of the Fairy Lords Of Ca," explained the Wizard, "and upon this Magic Certificate is inscribed the Names of the Fairy. These, too, are protected against the forces of evil by the Wards Of Crypto."
"These Wards Of Crypto are indeed powerful beyond understanding. But, tell me, why the capitalization on Name?" asked the Knight.
"Many Names can be written upon a Magic Certificate. So a Fairy Of Destiny may have that Name upon her - or possibly his - Magic Certificate. Another type of Name is the directions from the Sages Of Dns."
"So which Name should I be looking for - any of them?" asked the Knight, wishing he had opted for dragon slaying, which seemed an altogether simpler career.
"You may look for either the Name of that which you seek, or a Name you have been given by a trustworthy Sage."
"And so as long as the Magic Certificate has the right Name on it, and has been granted by a Fairy Lord Of Ca, then I shall know the Fairy to be true?"
"Not just any Lord, but a trustworthy one. Here," said the Wizard, "I'll give you a list," and handed the Knight a large piece of paper, with a list of the trustworthy Fairy Lords Of Ca. On the top, were two pictures, one of a Trust, and one of an Anchor.
"I always wondered how you drew a Trust," said the Knight, and thanked the Wizard.
"Don't mention it. Just remember, you must only extend your trust when protected by the Wards Of Crypto."
"Except in your case, right?"
"Well, obviously," harrumphed the Wizard, looking slightly peeved.
And with that, the Knight went on his way.
From that day forth, no evil Fairy could defeat him.
Some fairies tried to present him with Magic Certificates they had simply granted themselves, but he laughed at them.
Some fairies confused the Sages Of Dns, and the presented Magic Certificates telling him he'd followed these wrong directions perfectly well - but though he knew these Magic Certificates had been granted by the Fairy Lords on his Trust Anchor list, they did not have the Name which he sought.
But one Fairy had the Name of the Fairy Of Destiny upon his, or possibly her, Magic Certificate, and this Fairy the Knight knew to be true.
And another Fairy had the Name the Sages Of Dnssec had given him upon her, or possibly his, Magic Certificate, and so the brave Knight knew this Fairy was a true Fairy Of Destiny too.
And so they all lived happily ever after.
Until the Quantum Dragon arrived and destroyed the Wards Of Crypto.
How you're meant to do it
When authenticating a certificate, you look for a SAN which matches the asserted identity. So if a remote site asserts it is the XMPP server for dave.cridland.net, you can look for a SAN which proves it - which could be a srvName of _xmpp-server.dave.cridland.net, or a uRIName of xmpp:dave.cridland.net, or a dNSName or dave.cridland.net or ...
If there are no SANs of a suitable type (none, or only, say, a directoryName) then you drop to looking for a Common Name within the Subject. This is normally referred to as "The Common Name of the cert", which makes as much sense as "The letter of your name".
You're always dealing with the name typed by the user, or something you can securely derive from that. So if you start off which email@example.com, then you can securely derive the domain dave.cridland.net from it. However, if there's DNSSEC involved, then you could use the hostname if the SRV record were securely signed.
Proving that the certificate is valid, though, means also checking the issuer chain of the certificate ends in a Certification Authority which is itself one of your known trust anchors. Alternately - and when I wrote the above, this was still fairly vague - DNSSEC can provide indications of what certificates are valid, either by suggesting alternate trust anchors, or specifying the certificate itself.
If someone builds a viable Quantum Computer, though, then all bets are off.