[jdev] Heml.is and federation..
stpeter at stpeter.im
Tue Jul 16 19:36:48 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 7/12/13 10:51 PM, Steffen Larsen wrote:
> Hi Peter! :-)
> On Jul 13, 2013, at 4:23 AM, Peter Saint-Andre <stpeter at stpeter.im>
> Hi Matthew! :-)
> On 7/12/13 5:34 PM, Matthew Wild wrote:
>>>> On 12 July 2013 22:06, Peter Saint-Andre
>>>> <stpeter at stpeter.im> wrote:
>>>>> Really it's a crime that we don't have ubiquitous s2s and
>>>>> e2e encryption by now
>>>> As you may know, we thought very seriously about making the
>>>> default behaviour for the next release of Prosody to require
>>>> trusted and valid certificates on all s2s connections.
>>>> Ultimately we decided against it, for now. But I remain
>>>> optimistic that we shall do so in a future version (perhaps
>>>> after making a POSH verification module available).
> Sounds good. I do think we're making progress, although I'm
> frustrated that it's as slow as it is.
>> +1 even though I do nothing my self, so I can blame my self as
>> well. :-) How can I actually help out? reading up on POSH and
>>>>> but I suppose in fairness to us these are hard problems...
>>>> Name another protocol as widespread as XMPP that has solved
>>>> them so far...? :)
>>>> At least I think we're on the right track, but with things
>>>> like this I think it takes baby-steps. We have come a long
>>>> way, many clients and servers require encryption on c2s now
>>>> which simply wasn't true a few years ago.
> Yes, I am hoping / planning to do that at jabber.org before too
> much more time goes by. But one thing at a time.
>>>> PS. Anecdotal, but currently on my server:
>>>> 40 "secure" incoming s2s connections (trusted+valid
>>>> certificate) 37 encrypted with invalid/self-signed
>>>> certificates 10 not encrypted at all
>>>> 3 of the unencrypted connections are from the personal
>>>> servers of prominent members of the XMPP community (you
>>>> [hopefully] know who you are). A further 2 are domains I'm
>>>> responsible for (and a server upgrade is already scheduled to
>>>> fix them), the remaining ones are gmail.com and Google-hosted
> Hmm, those prominent members of the XMPP community need to get
> their act together. ;-)
> In general, one thing that might help is a very clear HOWTO on
> certificate provisioning, installation, and testing. That way,
> when more domains start requiring secure s2s we'll have a friendly
> manual at which we can point operators.
>> Good idea. Its easy to setup XMPP servers, but certificates etc.
>> are always pain in the b...
Yes, and it's a PITA that I need to fumble with my keys in order to
walk into my house. Security isn't easy. :-)
I do think that a friendly XMPP-certificates HOWTO would help.
> Also helpful might be an automated service (xmpp.net?) that would
> give you a report about your domain's s2s security status, if you
> opt in of course.
>> +1 That would be cool!
OK, that sounds like a fun project. ;-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the JDev