[jdev] Heml.is and federation..

Peter Saint-Andre stpeter at stpeter.im
Sat Jul 13 01:23:53 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Matthew! :-)

On 7/12/13 5:34 PM, Matthew Wild wrote:
> On 12 July 2013 22:06, Peter Saint-Andre <stpeter at stpeter.im>
> wrote:
>> Really it's a crime that we don't have ubiquitous s2s and e2e 
>> encryption by now
> 
> As you may know, we thought very seriously about making the
> default behaviour for the next release of Prosody to require
> trusted and valid certificates on all s2s connections. Ultimately
> we decided against it, for now. But I remain optimistic that we
> shall do so in a future version (perhaps after making a POSH
> verification module available).

Sounds good. I do think we're making progress, although I'm frustrated
that it's as slow as it is.

>> but I suppose in fairness to us these are hard problems...
> 
> Name another protocol as widespread as XMPP that has solved them so
> far...? :)

True.

> At least I think we're on the right track, but with things like
> this I think it takes baby-steps. We have come a long way, many
> clients and servers require encryption on c2s now which simply
> wasn't true a few years ago.

Yes, I am hoping / planning to do that at jabber.org before too much
more time goes by. But one thing at a time.

> PS. Anecdotal, but currently on my server:
> 
> 40 "secure" incoming s2s connections (trusted+valid certificate) 37
> encrypted with invalid/self-signed certificates 10 not encrypted at
> all
> 
> 3 of the unencrypted connections are from the personal servers of 
> prominent members of the XMPP community (you [hopefully] know who
> you are). A further 2 are domains I'm responsible for (and a
> server upgrade is already scheduled to fix them), the remaining
> ones are gmail.com and Google-hosted domains.

Hmm, those prominent members of the XMPP community need to get their
act together. ;-)

In general, one thing that might help is a very clear HOWTO on
certificate provisioning, installation, and testing. That way, when
more domains start requiring secure s2s we'll have a friendly manual
at which we can point operators.

Also helpful might be an automated service (xmpp.net?) that would give
you a report about your domain's s2s security status, if you opt in of
course.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR4KwpAAoJEOoGpJErxa2pjiQQAK4v5kikqhWGDNaGYMgIRKy+
o6+zMGcI1cZbeEtArPK5DnvyUaKrZRdxMeHKvXYyjyot9Wl1ceK+fplL8Dz3NeYM
q+O+vUx4MJJ7q2RL2kv0Mi3nl5027RYq2EpVqs4bbJ9lIrtHsY7IVo9zcs+McHeA
axZqKyj/mapLIHy/ySJqnYt3f6LrZ6eKnjrkhFtL9JA3CuUVuUNAXRRYJxfYa4JE
3hTobDaVC7VAbfeEyhpcHJWCcePUmVDY9RDDPYdzvlnu4W8eVky0B5/UOKzYsj7Q
ZcN8jzL548Ckfv0qO4lHOdNvLWn755OyDxcCNPRtmdg2CSqQNPxyXyKF655SMRwS
PgWzBqy299jN9BWEMFv43JB4i6JRzTRCV8XwvqjWYEq6qSbehAjdF43SsyPqJ3P6
GSE9k32q/fF3eBpN636rUMGUSgEjGJlSGdQhFpMAdF4zpO2vzbbfEbbutfbJiRLi
33lvFYqCvqoUGRcKjkkKCtEaijxnhKJTg1rQP3mdfbIFQZStYG23R4qKSW7+pgsx
fHoywAdTAncgfQ0qRdfBNBftKYanDStwZ1b2Y5S4keIcCWO1mvFEgbeEMEEojFGz
YdpM5oK7AaxRPtmY3ef4QMCQctwlm/ftXB3IZtrcyP/Qt+aj+sdbMDl1qaGmRjn4
eq6vENUzOTKwA1uc0vYi
=xFc1
-----END PGP SIGNATURE-----


More information about the JDev mailing list