Oh bloody hell
2006-01-17 16:18![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fanfI just got a phone call as a follow-up to today's IT Syndicate meeting. This was the meeting at which my paper on the Chat service was presented. I have been asked to give a talk to the IT Syndicate Technical Committee in two weeks to "enlighten them about Jabber", whatever that means. I've asked them to give me some specific questions they would like answered or to indicate which parts of my briefing paper that they would like me to expand on - I don't know if they want a speaking-to-managers or a speaking-to-techies talk.
But in any case, Bah! and Faugh! How long does this have to take? This started as a skunk works project in October, and I've now been waiting nearly three months to get permission to put _xmpp-{client,server}._tcp.cam.ac.uk SRV records in the DNS.
Update: Looks like it'll be a speaking-to-techies talk, probably including a protocol overview and stuff like that.
But in any case, Bah! and Faugh! How long does this have to take? This started as a skunk works project in October, and I've now been waiting nearly three months to get permission to put _xmpp-{client,server}._tcp.cam.ac.uk SRV records in the DNS.
Update: Looks like it'll be a speaking-to-techies talk, probably including a protocol overview and stuff like that.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-01-17 17:55 (UTC)no subject
Date: 2006-01-17 23:09 (UTC)no subject
Date: 2006-01-18 10:36 (UTC)no subject
Date: 2006-01-19 01:40 (UTC)no subject
Date: 2006-01-19 11:02 (UTC)The other evil area is TLS certificate verification. The IETF security wonks required the XMPP WG to specify a TLS cert format which is impossible to buy, because it requires the server identity to be recorded with an id-on-xmppAddr OID in an otherName entity inside the subjectAltName. As well as being unable to buy such a beast, there's no documentation about how to create one with OpenSSL - it involves such magic as defining new OIDs in openssl.conf, and beyond that I start to get lost.
(The IETF have perpetrated this stupidity for HTTP too: RFC 2818 says that the cert must identify the server using the dNSName (sic) entity inside the subjectAltName. At least OpenSSL knows about this OID, but still if you buy a certificate it'll use the cn just like certs from 10 years ago, and totally ignore these gratuitous new complexities.)
This is probably soluble by writing a JEP which says how Jabber software should handle de-facto standard cn certs :-)
There's also the question of what name to have in the cert you present to the client. XMPP says it must be the server's JID, i.e. the domain part of the user's JID, in my case cam.ac.uk. However traditional clients seem to check against the server name, in my case chat.cam.ac.uk. I can probably deal with this either by presenting different certs on ports 5222 (starttls, therefore new) and 5223 (tls-on-connect, therefore trad), or by pointing the _xmpp-client SRV record at a different address than chat.cam.ac.uk. Some interop testing will be required.
handling de-fact CN certs
Date: 2006-02-24 22:40 (UTC)