[jdev] Hosting issues

Trejkaz trejkaz at trypticon.org
Thu Sep 15 21:19:45 CDT 2005

>> 2) TLS and s2s
>> My users will not have certs for their domains, and even if they did,
>> I wouldn't want to be responsible for keeping their private keys
>> secret.  TLS is not an option for my service.
> Why not?  You might think about obtaining cacert certs during
> provisioning as a part of your service.  You can own the private key
> for jabber.domain.com and that would not conflict with any domain.com
> certificates they may already have.  Then as discussed their DNS host
> would put an SRV record to point to your jabber server.  I think that
> would work anyway...

It would, with a little modification.

CAcert, as it should, only gives certificates to the owner of the domain. 
So if you want to get a certificate for jabber.example.com, then you have
to be receiving mail as the administrator for example.com.

Case in point, our server (jabber.zim.net.au) has had an expired
certificate up for some time now, but because I can't receive the
administrative mail for zim.net.au, my co-admin (who does own the domain)
has to do the job.  And he's lazy, so... no certificate.

A system could be set up, however, where his virtual hosting service
generates the private key and CSR, and sends the CSR to the owner of the
domain.  The owner of the domain can then go through whatever process they
want (CAcert, Thawte, whatever) to get the certificate and then push that
certificate back into the web interface to enable their TLS support.


More information about the JDev mailing list