[jadmin] trusted federation

Peter Saint-Andre stpeter at stpeter.im
Fri Jan 18 14:04:09 CST 2008 

Marco d'Itri wrote:
> On Jan 18, Harald Braumann <harry at unheit.net> wrote:
> 
>> actually I don't see why I should trust a certificate just because it
>> is signed by "We're trustworthy, really, Inc." That's as good as a
>> self-signed one. The whole idea of X.500, i.e. increasing security by
>> establishing a centralised hierarchical system is flawed.
> Indeed. XMPP is supposed to be a decentralized system, adding a central
> authority that will decide who can or cannot have a jabber server does
> not look like a great idea to me.

No one is saying that there must be *a* centralized CA for the entire 
XMPP network. Trusted federation means you can rely on a whole list of 
trusted roots, just like people already do at the application layer 
(e.g., Mozilla cert store) or OS layer (e.g., Apple Keychain).

And no one is saying that there must be one security policy followed by 
all jabber server deployments.

Some deployments might think that dialback with no certificate is fine. 
That has worked well for us since October 2000 (jabberd 1.2). But then 
you have no encryption of the s2s link, and a lot of admins seem to 
think that we need to move beyond unencrypted federation.

Some deployments might think that dialback with a self-signed 
certificate is fine (and that will probably be the default on most of 
the open network if I'm reading the list consensus correctly).

Some deployments might think that TLS + SASL with trusted roots and 
mutual authentication is preferred or required, and they will 
communicate only with peers who support that.

Some deployments might think that TLS + SASL with a single trusted root 
is required (e.g., "islands" in the federation for certain industries).

You still have choice and you still have the freedom to run your xmpp 
service however you please. Order will emerge from the security policy 
decisions made by all the services that are on the open network (and 
services that aren't on the open network but that interoperate amongst 
themselves).

This is not about closing the network, this is about improving the 
network by making it more secure while still making it relatively easy 
for people to add new servers to the network.

> Different idea: keys in the DNS tree, eventually protected by DNSSEC.

Oh yes, DNSSEC adoption has been huge. ;-)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/jadmin/attachments/20080118/238245e7/attachment.bin

More information about the JAdmin mailing list