[jadmin] Google Talk federation policy proposal
stpeter at jabber.org
Fri Aug 26 10:15:09 CDT 2005
Jacek Konieczny wrote:
> First, I don't think using TLS for s2s should be a requirement.
> Diallback is a quite good mechanism for domain "authentication". It may
> be broken by DNS spoofing, but DNS spoofing doesn't seem to be effective
> enough to be useful for spammers. Requiring certificate signed by
> a provided CA list is telling people who to trust and where should they
> buy their certificates. Most CAs won't give you certificate usefull
> for virtual-hosting XMPP server (serving multiple domains) and probably
> no XMPP server certificate would make use of such certificates anyway.
Well, there's always CAcert -- no purchase required.
Another option would be for Google to initiate connections outbound to
any server, but accept inbound connections only from domains to which it
has issued a "client certificate". Google would define a process by
which you could obtain such a client certificate, and your domain would
present that when it attempts to connect to talk.google.com.
> What is needed for a good federation policy is:
> - working abuse reporting procedure. When an incident is reported
> the source server contact address for its administrators should be
> known and the administrators must be able to block abuser for good
> (so it won't use the same account again and won't create 100 new
> accounts in the next minute)
So for that we need:
1. defined contact addresses via the JEP we need to write (see thread on
the Standards-JIG list)
2. an easier way for server administrators to disable user accounts
> - no easy identity theft -- passwords should not be sent in clear-text
> and it should not be possible to hijack any XMPP session.
Yes, and we already have that via TLS+SASL (even SASL plain) or SSL (on
port 5223) and jabber:iq:auth (even plaintext password login). Notice
that this is what talk.google.com does today.
> - a way to disconnect any server braking the policy from the federation
> (white or black list, as you suggest)
It seems that this is a role the JSF could play.
Jabber Software Foundation
More information about the JAdmin