View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000087||Main CAcert Website||certificate issuing||public||2005-11-22 20:32||2012-12-23 07:36|
|Summary||0000087: Issuing certificates for Jabber servers/users|
|Description||1. Download Net::XMPP -- http://search.cpan.org/~reatmon/Net-XMPP-1.0/|
2. Download sendxmpp -- http://www.djcbsoftware.nl/code/sendxmpp/
3. I've created an account firstname.lastname@example.org
4. Create your ~/.sendxmpprc configuration file in accordance with the man page, normally this will include only the following line:
5. Do this to verify an end-user account of the form email@example.com:
echo "To verify your account, visit http://cacert.org/foo" | sendxmpp firstname.lastname@example.org
6. Do this to verify a Jabber server (host.tld):
echo "To verify your control over this Jabber server, visit http://cacert.org/foo" | sendxmpp host.tld
Probably best to use the -t option which requires SSL/TLS.
|Tags||No tags attached.|
eg JabberID is in the form similar to email addresses email@example.com
So we'd put the Jabber ID (= XMPP address) in as UTF8 at the end. The otherName can also be "id-on-xmppAddr" instead of the numeric object ID (the two are equivalent).
||Duane: That's correct for both clients and servers. In other words, any JabberID (client address or server address) would be represented in the certificate in accordance with section 5.1 of RFC 3920, i.e., as a UTF8String within an otherName entity inside the subjectAltName, using the ASN.1 Object Identifier "id-on-xmppAddr" (which in dotted display format is "22.214.171.124.126.96.36.199.5").|
Do we need this check for jabber servers? Since the domains are verified with the system, there would be no need to verify jabber servers.
Jabber users need to be verified still.
as someone has seemingly implemented support for this (thanks btw!):
I am not sure if the id-on-xmppAddr is correct for IDN (sub-)domains.
My test case was a certificate for `ätsch.mydomain`. I generated the CSR encoding this hostname in punycode, `xn--tsch-koa.mydomain` (possibly pebcak).
In the resulting certificate, commonName, dNSName and id-on-xmppAddr contain this string. I would have expected that id-on-xmppAddr is de-punycoded to an utf8 string (using idna_to_unicode_*), e.g. `ätsch.mydomain` again.
/me pokes stpeter
||Anyone have time/inclination to work on a system to verify jabber user IDs and then issue certificates with extensions?|
|2005-11-22 20:32||duane||New Issue|
|2005-11-22 20:33||duane||Note Added: 0000028|
|2005-12-02 11:06||stpeter||Note Added: 0000051|
|2005-12-08 20:37||evaldo||Note Added: 0000070|
|2006-03-27 04:37||fippo||Note Added: 0000114|
|2006-08-16 05:56||duane||Note Added: 0000503|
|2006-08-16 05:56||duane||Status||new => @30@|
|2006-08-16 18:02||duane||Reporter||duane => stpeter|
|2006-08-16 18:02||duane||Assigned To||=> duane|
|2007-06-25 08:38||evaldo||Assigned To||duane =>|
|2007-06-25 08:38||evaldo||Priority||high => normal|
|2011-06-14 00:23||NEOatNHNG||Status||@30@ => confirmed|
|2012-12-20 18:26||Werner Dworak||Relationship added||related to 0000530|
|2012-12-23 07:30||Werner Dworak||Relationship added||related to 0000851|
|2012-12-23 07:36||Werner Dworak||Relationship added||related to 0001097|