[jdev] Heml.is and federation..

Matthew Miller linuxwolf at outer-planes.net
Sat Jul 13 12:24:19 UTC 2013


Reading up on the DNA family, and e2e, world be helpful.  Then providing
feedback, including implementation and deployment experience where possible!

draft-ietf-xmpp-dna-02
draft-miller-posh-00
draft-ietf-dane-srv-02

draft-miller-xmpp-e2e-06

- m&m
{mobile}
Hi Peter! :-)

On Jul 13, 2013, at 4:23 AM, Peter Saint-Andre <stpeter at stpeter.im> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Matthew! :-)
>
> On 7/12/13 5:34 PM, Matthew Wild wrote:
>> On 12 July 2013 22:06, Peter Saint-Andre <stpeter at stpeter.im>
>> wrote:
>>> Really it's a crime that we don't have ubiquitous s2s and e2e
>>> encryption by now
>>
>> As you may know, we thought very seriously about making the
>> default behaviour for the next release of Prosody to require
>> trusted and valid certificates on all s2s connections. Ultimately
>> we decided against it, for now. But I remain optimistic that we
>> shall do so in a future version (perhaps after making a POSH
>> verification module available).
>
> Sounds good. I do think we're making progress, although I'm frustrated
> that it's as slow as it is.
>

+1 even though I do nothing my self, so I can blame my self as well. :-)
How can I actually help out? reading up on POSH and friends?


>>> but I suppose in fairness to us these are hard problems...
>>
>> Name another protocol as widespread as XMPP that has solved them so
>> far...? :)
>
> True.
>
>> At least I think we're on the right track, but with things like
>> this I think it takes baby-steps. We have come a long way, many
>> clients and servers require encryption on c2s now which simply
>> wasn't true a few years ago.
>
> Yes, I am hoping / planning to do that at jabber.org before too much
> more time goes by. But one thing at a time.
>
>> PS. Anecdotal, but currently on my server:
>>
>> 40 "secure" incoming s2s connections (trusted+valid certificate) 37
>> encrypted with invalid/self-signed certificates 10 not encrypted at
>> all
>>
>> 3 of the unencrypted connections are from the personal servers of
>> prominent members of the XMPP community (you [hopefully] know who
>> you are). A further 2 are domains I'm responsible for (and a
>> server upgrade is already scheduled to fix them), the remaining
>> ones are gmail.com and Google-hosted domains.
>
> Hmm, those prominent members of the XMPP community need to get their
> act together. ;-)
>
> In general, one thing that might help is a very clear HOWTO on
> certificate provisioning, installation, and testing. That way, when
> more domains start requiring secure s2s we'll have a friendly manual
> at which we can point operators.

Good idea. Its easy to setup XMPP servers, but certificates etc. are always
pain in the b...

>
> Also helpful might be an automated service (xmpp.net?) that would give
> you a report about your domain's s2s security status, if you opt in of
> course.

+1 That would be cool!

>
> Peter
>
> - --
> Peter Saint-Andre
> https://stpeter.im/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJR4KwpAAoJEOoGpJErxa2pjiQQAK4v5kikqhWGDNaGYMgIRKy+
> o6+zMGcI1cZbeEtArPK5DnvyUaKrZRdxMeHKvXYyjyot9Wl1ceK+fplL8Dz3NeYM
> q+O+vUx4MJJ7q2RL2kv0Mi3nl5027RYq2EpVqs4bbJ9lIrtHsY7IVo9zcs+McHeA
> axZqKyj/mapLIHy/ySJqnYt3f6LrZ6eKnjrkhFtL9JA3CuUVuUNAXRRYJxfYa4JE
> 3hTobDaVC7VAbfeEyhpcHJWCcePUmVDY9RDDPYdzvlnu4W8eVky0B5/UOKzYsj7Q
> ZcN8jzL548Ckfv0qO4lHOdNvLWn755OyDxcCNPRtmdg2CSqQNPxyXyKF655SMRwS
> PgWzBqy299jN9BWEMFv43JB4i6JRzTRCV8XwvqjWYEq6qSbehAjdF43SsyPqJ3P6
> GSE9k32q/fF3eBpN636rUMGUSgEjGJlSGdQhFpMAdF4zpO2vzbbfEbbutfbJiRLi
> 33lvFYqCvqoUGRcKjkkKCtEaijxnhKJTg1rQP3mdfbIFQZStYG23R4qKSW7+pgsx
> fHoywAdTAncgfQ0qRdfBNBftKYanDStwZ1b2Y5S4keIcCWO1mvFEgbeEMEEojFGz
> YdpM5oK7AaxRPtmY3ef4QMCQctwlm/ftXB3IZtrcyP/Qt+aj+sdbMDl1qaGmRjn4
> eq6vENUzOTKwA1uc0vYi
> =xFc1
> -----END PGP SIGNATURE-----
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________

/Steffen

_______________________________________________
JDev mailing list
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe at jabber.org
_______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20130713/8ca02e2f/attachment.html>


More information about the JDev mailing list