From 9598e7941630fca6d6000c7a9f223e6137b6f4e6 Mon Sep 17 00:00:00 2001 From: Peter Saint-Andre Date: Tue, 28 Nov 2006 03:05:50 +0000 Subject: [PATCH] 0.4 git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@230 4b5297f7-1745-476d-ba37-a9c6900126ab --- xep-0178.xml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/xep-0178.xml b/xep-0178.xml index 52d23353..aa96945e 100644 --- a/xep-0178.xml +++ b/xep-0178.xml @@ -22,6 +22,12 @@ N/A &stpeter; &pgmillard; + + 0.4 + 2006-11-27 + psa +

Modified XMPP address encapsulation methods per rfc3920bis; clarified conditions for certificates to be considered acceptable.

 + 0.3 2006-09-21 @@ -116,7 +122,7 @@

Server validates certificate.

  1. -

    If certification authority is untrusted or certificate has been revoked, server closes client's TCP connection.

    +

    If certificate is unacceptable (e.g., because the certificate has been revoked, because the certificate has expired, or because the root certificate was issued by a certification authority that is untrusted), server closes client's TCP connection.

  2. Else server completes successful TLS negotiation and client initiates a new stream header to server.

    @@ -164,7 +170,7 @@

    Server determines whether to allow authenticatation of user.

    1. -

      If the certificate presented by the client contains only one valid XMPP address A valid XMPP address is a JID encapsulated as a subjectAltName with an ASN.1 Object Identifier of "id-on-xmppAddr" (which is equivalent to the dotted display format of "1.3.6.1.5.5.7.8.5"). that corresponds to a registered account on the server, the server SHOULD allow authentication of that JID.

      +

      If the certificate presented by the client contains only one valid XMPP address that corresponds to a registered account on the server, the server SHOULD allow authentication of that JID. For the purpose of client authentication with a server, a valid XMPP address is a JID encapsulated as a subjectAltName entity of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr" as specified in Section 5.1.1. of RFC 3920.

      ]]> @@ -252,7 +258,7 @@

      Server2 validates certificate.

      1. -

        If certification authority is untrusted or certificate has been revoked, Server2 closes Server1's TCP connection.

        +

        If certificate is unacceptable (e.g., because the certificate has been revoked, because the certificate has expired, or because the root certificate was issued by a certification authority that is untrusted), Server2 closes Server1's TCP connection.

      2. Else Server2 completes successful TLS negotiation and Server1 initiates a new stream header to Server2.

        @@ -301,7 +307,7 @@

        Server2 determines if hostname is valid.

        1. -

          If the authorization identity provided by Server1 matches one of the valid XMPP addresses A valid XMPP address is a JID encapsulated as a subjectAltName with an ASN.1 Object Identifier of "id-on-xmppAddr" (which is equivalent to the dotted display format of "1.3.6.1.5.5.7.8.5"). in the certificate or one of the Common Names in the certificates, Server2 SHOULD return success.

          +

          If the authorization identity provided by Server1 matches one of the valid XMPP addresses in the certificate, Server2 SHOULD return success. For the purpose of server authentication with another server, a valid XMPP address is a JID encapsulated as a subjectAltName extension of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr" or a domain name (which MAY include the wildcard character '*') encapsulated as a subjectAltName extension of type dNSName.

          ]]>