[Standards] compliance: cert(s)

Mridul Muralidharan mridul at sun.com
Fri Jun 15 19:15:38 CDT 2007


Peter Saint-Andre wrote:
> Mridul Muralidharan wrote:
>> Justin Karneges wrote:
>>> On Thursday 14 June 2007 2:59 pm, Peter Saint-Andre wrote:
>>>> Would it be appropriate to recommend that client and server developers
>>>> bundle support for the root certificate under which the XMPP ICA issues
>>>> domain certificates?
>>>
>>> The XSF is not in a position to vouch for the trustworthiness of a 
>>> certificate authority.  
>>
>> +1
> 
> The XSF runs the XMPP Intermediate Certification Authority, so I'd hope 
> we can trust it. We do not run the root CA upon which the XMPP ICA depends.

ICA has value since it provides as easy way to obtain an xmpp 
certificate with the oid defined ... which is usually a pain.
But this is just based on top of startcom - and the trust for startcom 
should come from web of trust, not because xsf vouches for it.
So xmpp ica is as trust worthy as startcom ca is.
If tomorrow we support other ca's, or possibly move away from ica, the 
protocol spec would still remain unchanged, and tls's web of trust will 
take care of certificate verification (for people with ocsp enabled for 
example).

Which is why I mentioned that we could have a wiki of a page which talks 
about how deployers/admins (not developers) can obtain xmpp certificates 
(we do not have client certs there do we ?) from xca and point a link 
from protocol to that page as 'helpful info'. This could then be 
referenced by developers, admin and deployers; while we could keep it up 
to date more easily.

> 
>>  > At best, you could cite some other organization as being the
>>> basis of the recommendation.  For example, a XEP could claim that 
>>> StartCom is WebTrust-certified, and is therefore generally accepted 
>>> as trustworthy for economic usage over the open internet.
>>>
>>> That said, I think making a recommendation like this is mostly 
>>> redundant.
>>
>> Yes, if it is trusted, most keystores will already include it as a ca 
>> by default.
> 
> The certificate for the root CA is included in the Mozilla store, the 
> store on various flavors of Linux as well as Mac OS X 10.5. I do not 
> know when it might be included on Windows.


Not yet the last time I checked.

Mridul

> 
> Peter
> 



More information about the Standards mailing list