[jadmin] trusted federation
Peter Saint-Andre
stpeter at stpeter.im
Thu Jan 17 18:23:17 CST 2008
Matt Tucker wrote:
> Peter,
>
> I like the idea. Setting a date and working towards it is a great
> idea. Of course, getting Google signed on to this would be the
> ultimate way of making it happen. :)
Sure thing. :) This is definitely an idea we'll need to socialize for a
while before taking the plunge.
> As a counter argument, it's definitely a higher setup burden to get
> trusted certificates working. We've done what we can to make it
> simpler in Openfire, but it's still not trivial:
>
> http://www.igniterealtime.org/community/blogs/ignite/2007/11/30/your-certificate-survival-kit
Yes, that has helped a lot, thanks!
> Continuing to lower the setup burden in all servers will be key.
Naturally, let's try to make obtaining a proper server certificate as
easy as possible. It would be even easier to set up a server if admins
didn't have to do all that DNS configuration. What a pain! But then we'd
have promiscuous federation. The question is: what's appropriate and
acceptable for the XMPP server network? From jabberd 1.2 in October 2000
until today, verified federation (dialback) has been good enough. And
maybe dialback + TLS-with-self-signed-certificates is good enough. But I
think the day is coming when unencrypted s2s will no longer be
acceptable (if that day has not already come and gone). And if we're
going to do secure federation, why not do it right and use proper
digital certificates?
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/jadmin/attachments/20080117/edfaded1/attachment-0001.bin
More information about the JAdmin
mailing list