[jdev] Heml.is and federation..

Peter Saint-Andre stpeter at stpeter.im
Fri Jul 12 21:01:28 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/12/13 2:21 PM, Kevin Smith wrote:
> On Fri, Jul 12, 2013 at 9:16 PM, Peter Saint-Andre
> <stpeter at stpeter.im> wrote:
>> In general, XMPP server implementations don't perform proper (RFC
>> 6125 / RFC 6120) certificate checking and don't have an option to
>> refuse connections from domains that lack proper certificates.
> 
> I thought we found in our S2S TLS interop tests a couple of years
> ago that servers generally /did/ have the options for doing secure
> S2S (with one or two exceptions), it's just that they don't get
> enabled in typical deployments.
> 
> There is certainly a problem here, but it doesn't seem to me it's
> that code hasn't been written.

In the main I think you're right, although I'm not positive that all
servers perform all of the checks mentioned in RFC 6120:

http://xmpp.org/rfcs/rfc6120.html#security-certificates-validation

But the real problems seem to be in deployments, not implementations.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR4G6oAAoJEOoGpJErxa2pAYcP/RBar4J3KKZvQZQV+B5M5Klc
8eyGwM8Hm181Iv7KHXGP/tGgmhIoD0LpHYwMGg2uNm+iBG4rVhSowyMHKN54yX5e
Sd9kkFjHJz7tAMuqSEAVC0na79c9pnRIEgujg2Gx+OZUJvaEvVzKYoleZKeV91jH
/v/nQrr/+3SCMLbQZI1+Rflup41gr70elJ5+0qEwm7T22IOvjX3Mqe2bPHkJTEzQ
D3sf2fF22dtRAlu7DH8S/kJFefKvAPqjHIZMagecqG1BqLhQnn2h2TXZsjVLdJ0E
q7AnIntL3X4y8+gFQHAgE2gtplR3oKftD6gZERvhJnBXRXEx4V3PqJUAN2e83naV
6XGuYgvkPZyQ2WFMzrtVdy2EwKJdoG+ces0Elad16RAZ7qBA0HsEAsTuzmin6JO0
bMoFxqizYTfnoMw11yTUE1aoCq8NIb+xHCZpbuV6IxnqiP6+I9DkOE5jsu+sprVx
nOJKcuJV8NIgRhlnlprNaRG66J7Jb5hJoSWP1KJgL+fQL1IYcyvGBq4HX78bha+d
S14GlGXJaSoob5D21RFnWHU+ZM0JC6GqSusKNcTIcVJZusaWXridheuR80GXDs5k
ujMgjs2MHAC766+pTrftqyU5syAt+3LN3kOzlXwIpd2HEmfmkWGlT901MLSdS7Q8
M6J6S72Z4GvAs/otgm3J
=fzWb
-----END PGP SIGNATURE-----


More information about the JDev mailing list