[jdev] Second-guessing dns for s2s

Tijl Houtbeckers thoutbeckers at splendo.com
Sat Sep 24 20:24:15 CDT 2005

On Sun, 25 Sep 2005 02:55:09 +0200, David Waite <dwaite at gmail.com> wrote:

> On 9/24/05, Matt Tucker <matt at jivesoftware.com> wrote:
>> Tjil,
> <snip>
>> > While requiring a signed certificate is a step up, it is only
>> > a small step it. It are still unknown servers you are talking
>> > to, thus unknown certificates.
>> That's the point of a CA. If a CA signs a cert, that means you should
>> trust it. No security is perfect, but the CA system is the bedrock of
>> internet security. I don't particularly like how the CA system works,
>> but that's another issue.
> Right - certificate chains are chains of trust, ownership of a cert is
> meant as proof of identity. By trusting a CA you are saying that CA is
> trusted for authentication, like how you would delegate authentication
> to a LDAP within your domain.

Wrong - ask any CA if they want to be held responsible for what people do  
with the certificates that get handed out to them. They'll say: hell no.  
The only thing they try to sell you on, is that when one of those  
certificates is used (for example to enable encryption) you can be pretty  
damned sure (I doubt that even the CAs will try and convince you it's 100%  
sure, not CAcert nor any of the others) it was registered by who/whatever  
the certificate says it is registered to. That's it folks, how badly you  
want to put your trust in the person/orginization listed there, is your  
own responsibility, and any CA will tell you that.

In the case of open dailback/sasl, that means putting your trust in  
complete strangers. I don't know about you, but that's not how I typically  
run the LDAP server for a domain.

More information about the JDev mailing list