[Standards] compliance: cert(s)

Matthias Wimmer m at tthias.eu
Fri Jun 15 15:32:37 CDT 2007


Hi Justin!

Justin Karneges schrieb:
> The XSF runs an ICA, but that alone is not enough of a reason for XMPP 
> developers and users to trust it.  The reason the XMPP ICA is interesting is 
> because it is under StartCom control, and StartCom is widely trusted.  To 
> better understand what I mean, just imagine if the XMPP CA was an independent 
> root CA.  The value comes not from the XSF's booming voice, but from 
> StartCom. :)

> Anyway, there's nothing wrong with having a recommendation, and I see you've 
> already published new versions of the XEP with it.  However, it does come off 
> as an advertisement, which is a strange thing to have in a XEP.  You could 
> just as well advertise Equifax, I'm sure they have a number of XMPP domain 
> certificates issued too.
> 
> Right, bundling does have value.  The Psi 0.11 release candidate ships the 
> StartCom root, for example.  However, Psi only does this because Mozilla does 
> this.  Really, it is important here to realize who is in a position to vouch 
> for trust.  XSF and Psi are unable do this, but the Mozilla Foundation is, 
> and so that's the authority Psi draws from, *not* any XSF recommendation.

+3 ... one for each chapter ...

While I do bundle the StartCom root certificate with jabberd14 as well,
I also do not do this because of any XEP.

Me as well, I would consider it at least very strange if any XEP
advertizes or recommends any certification authority. You also won't
find any recommended CA in RFC 2818 (HTTP over TLS).


Matthias

-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/



More information about the Standards mailing list