[Standards] compliance: cert(s)
justin-keyword-jabber.093179 at affinix.com
Fri Jun 15 19:38:55 UTC 2007
On Friday 15 June 2007 11:03 am, Peter Saint-Andre wrote:
> Mridul Muralidharan wrote:
> > Justin Karneges wrote:
> >> On Thursday 14 June 2007 2:59 pm, Peter Saint-Andre wrote:
> >>> Would it be appropriate to recommend that client and server developers
> >>> bundle support for the root certificate under which the XMPP ICA issues
> >>> domain certificates?
> >> The XSF is not in a position to vouch for the trustworthiness of a
> >> certificate authority.
> > +1
> The XSF runs the XMPP Intermediate Certification Authority, so I'd hope
> we can trust it. We do not run the root CA upon which the XMPP ICA depends.
The XSF runs an ICA, but that alone is not enough of a reason for XMPP
developers and users to trust it. The reason the XMPP ICA is interesting is
because it is under StartCom control, and StartCom is widely trusted. To
better understand what I mean, just imagine if the XMPP CA was an independent
root CA. The value comes not from the XSF's booming voice, but from
Anyway, there's nothing wrong with having a recommendation, and I see you've
already published new versions of the XEP with it. However, it does come off
as an advertisement, which is a strange thing to have in a XEP. You could
just as well advertise Equifax, I'm sure they have a number of XMPP domain
certificates issued too.
> The certificate for the root CA is included in the Mozilla store, the
> store on various flavors of Linux as well as Mac OS X 10.5. I do not
> know when it might be included on Windows.
Right, bundling does have value. The Psi 0.11 release candidate ships the
StartCom root, for example. However, Psi only does this because Mozilla does
this. Really, it is important here to realize who is in a position to vouch
for trust. XSF and Psi are unable do this, but the Mozilla Foundation is,
and so that's the authority Psi draws from, *not* any XSF recommendation.
More information about the Standards