{"draft":"draft-ietf-xmpp-posh-06","doc_id":"RFC7711","title":"PKIX over Secure HTTP (POSH)","authors":["M. Miller","P. Saint-Andre"],"format":["ASCII","HTML"],"page_count":"18","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Extensible Messaging and Presence Protocol","abstract":"Experience has shown that it is difficult to deploy proper PKIX\r\ncertificates for Transport Layer Security (TLS) in multi-tenanted\r\nenvironments.  As a result, domains hosted in such environments often\r\ndeploy applications using certificates that identify the hosting\r\nservice, not the hosted domain.  Such deployments force end users and\r\npeer services to accept a certificate with an improper identifier,\r\nresulting in degraded security.  This document defines methods that\r\nmake it easier to deploy certificates for proper server identity\r\nchecking in non-HTTP application protocols.  Although these methods\r\nwere developed for use in the Extensible Messaging and Presence\r\nProtocol (XMPP) as a Domain Name Association (DNA) prooftype, they\r\nmight also be usable in other non-HTTP application protocols.","pub_date":"November 2015","keywords":["Extensible Messaging and Presence Protocol","Jabber","federation"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC7711","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc7711"}