[Standards] compliance: cert(s)

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Fri Jun 15 14:38:55 CDT 2007


On Friday 15 June 2007 11:03 am, Peter Saint-Andre wrote:
> Mridul Muralidharan wrote:
> > Justin Karneges wrote:
> >> On Thursday 14 June 2007 2:59 pm, Peter Saint-Andre wrote:
> >>> Would it be appropriate to recommend that client and server developers
> >>> bundle support for the root certificate under which the XMPP ICA issues
> >>> domain certificates?
> >>
> >> The XSF is not in a position to vouch for the trustworthiness of a
> >> certificate authority.
> >
> > +1
>
> The XSF runs the XMPP Intermediate Certification Authority, so I'd hope
> we can trust it. We do not run the root CA upon which the XMPP ICA depends.

The XSF runs an ICA, but that alone is not enough of a reason for XMPP 
developers and users to trust it.  The reason the XMPP ICA is interesting is 
because it is under StartCom control, and StartCom is widely trusted.  To 
better understand what I mean, just imagine if the XMPP CA was an independent 
root CA.  The value comes not from the XSF's booming voice, but from 
StartCom. :)

Anyway, there's nothing wrong with having a recommendation, and I see you've 
already published new versions of the XEP with it.  However, it does come off 
as an advertisement, which is a strange thing to have in a XEP.  You could 
just as well advertise Equifax, I'm sure they have a number of XMPP domain 
certificates issued too.

> The certificate for the root CA is included in the Mozilla store, the
> store on various flavors of Linux as well as Mac OS X 10.5. I do not
> know when it might be included on Windows.

Right, bundling does have value.  The Psi 0.11 release candidate ships the 
StartCom root, for example.  However, Psi only does this because Mozilla does 
this.  Really, it is important here to realize who is in a position to vouch 
for trust.  XSF and Psi are unable do this, but the Mozilla Foundation is, 
and so that's the authority Psi draws from, *not* any XSF recommendation.

-Justin


More information about the Standards mailing list