View Issue Details

IDProjectCategoryView StatusLast Update
0000087Main CAcert Websitecertificate issuingpublic2012-12-23 07:36
Reporterstpeter Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status confirmedResolutionopen 
Summary0000087: Issuing certificates for Jabber servers/users
Description1. Download Net::XMPP -- http://search.cpan.org/~reatmon/Net-XMPP-1.0/

2. Download sendxmpp -- http://www.djcbsoftware.nl/code/sendxmpp/

3. I've created an account user@isp.com

4. Create your ~/.sendxmpprc configuration file in accordance with the man page, normally this will include only the following line:

   user@isp.com your-password-here

5. Do this to verify an end-user account of the form user@host.tld:

   echo "To verify your account, visit http://cacert.org/foo" | sendxmpp user@host.tld

6. Do this to verify a Jabber server (host.tld):

   echo "To verify your control over this Jabber server, visit http://cacert.org/foo" | sendxmpp host.tld

Probably best to use the -t option which requires SSL/TLS.
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000530 closed XMPP extension not present after renewal 
related to 0000851 new Problems with diacritical letters in CAP-Form and certifcate 
related to 0001097 closedNEOatNHNG Special characters which have no HTML-entities are not properly escaped 

Activities

duane

2005-11-22 20:33

developer   ~0000028

subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:<jabberID>

eg JabberID is in the form similar to email addresses user@isp.com

So we'd put the Jabber ID (= XMPP address) in as UTF8 at the end. The otherName can also be "id-on-xmppAddr" instead of the numeric object ID (the two are equivalent).

stpeter

2005-12-02 11:06

updater   ~0000051

Duane: That's correct for both clients and servers. In other words, any JabberID (client address or server address) would be represented in the certificate in accordance with section 5.1 of RFC 3920, i.e., as a UTF8String within an otherName entity inside the subjectAltName, using the ASN.1 Object Identifier "id-on-xmppAddr" (which in dotted display format is "1.3.6.1.5.5.7.8.5").

evaldo

2005-12-08 20:37

developer   ~0000070

Do we need this check for jabber servers? Since the domains are verified with the system, there would be no need to verify jabber servers.

Jabber users need to be verified still.

fippo

2006-03-27 04:37

reporter   ~0000114

as someone has seemingly implemented support for this (thanks btw!):
I am not sure if the id-on-xmppAddr is correct for IDN (sub-)domains.

My test case was a certificate for `├Ątsch.mydomain`. I generated the CSR encoding this hostname in punycode, `xn--tsch-koa.mydomain` (possibly pebcak).

In the resulting certificate, commonName, dNSName and id-on-xmppAddr contain this string. I would have expected that id-on-xmppAddr is de-punycoded to an utf8 string (using idna_to_unicode_*), e.g. `├Ątsch.mydomain` again.

/me pokes stpeter

duane

2006-08-16 05:56

developer   ~0000503

Anyone have time/inclination to work on a system to verify jabber user IDs and then issue certificates with extensions?

Issue History

Date Modified Username Field Change
2005-11-22 20:32 duane New Issue
2005-11-22 20:33 duane Note Added: 0000028
2005-12-02 11:06 stpeter Note Added: 0000051
2005-12-08 20:37 evaldo Note Added: 0000070
2006-03-27 04:37 fippo Note Added: 0000114
2006-08-16 05:56 duane Note Added: 0000503
2006-08-16 05:56 duane Status new => @30@
2006-08-16 18:02 duane Reporter duane => stpeter
2006-08-16 18:02 duane Assigned To => duane
2007-06-25 08:38 evaldo Assigned To duane =>
2007-06-25 08:38 evaldo Priority high => normal
2011-06-14 00:23 NEOatNHNG Status @30@ => confirmed
2012-12-20 18:26 Werner Dworak Relationship added related to 0000530
2012-12-23 07:30 Werner Dworak Relationship added related to 0000851
2012-12-23 07:36 Werner Dworak Relationship added related to 0001097