[jdev] Heml.is and federation..

Peter Saint-Andre stpeter at stpeter.im
Tue Jul 16 19:36:48 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/12/13 10:51 PM, Steffen Larsen wrote:
> Hi Peter! :-)
> 
> On Jul 13, 2013, at 4:23 AM, Peter Saint-Andre <stpeter at stpeter.im>
> wrote:
> 
> Hi Matthew! :-)
> 
> On 7/12/13 5:34 PM, Matthew Wild wrote:
>>>> On 12 July 2013 22:06, Peter Saint-Andre
>>>> <stpeter at stpeter.im> wrote:
>>>>> Really it's a crime that we don't have ubiquitous s2s and
>>>>> e2e encryption by now
>>>> 
>>>> As you may know, we thought very seriously about making the 
>>>> default behaviour for the next release of Prosody to require 
>>>> trusted and valid certificates on all s2s connections.
>>>> Ultimately we decided against it, for now. But I remain
>>>> optimistic that we shall do so in a future version (perhaps
>>>> after making a POSH verification module available).
> 
> Sounds good. I do think we're making progress, although I'm
> frustrated that it's as slow as it is.
> 
> 
>> +1 even though I do nothing my self, so I can blame my self as
>> well. :-) How can I actually help out? reading up on POSH and
>> friends?
> 
> 
>>>>> but I suppose in fairness to us these are hard problems...
>>>> 
>>>> Name another protocol as widespread as XMPP that has solved
>>>> them so far...? :)
> 
> True.
> 
>>>> At least I think we're on the right track, but with things
>>>> like this I think it takes baby-steps. We have come a long
>>>> way, many clients and servers require encryption on c2s now
>>>> which simply wasn't true a few years ago.
> 
> Yes, I am hoping / planning to do that at jabber.org before too
> much more time goes by. But one thing at a time.
> 
>>>> PS. Anecdotal, but currently on my server:
>>>> 
>>>> 40 "secure" incoming s2s connections (trusted+valid
>>>> certificate) 37 encrypted with invalid/self-signed
>>>> certificates 10 not encrypted at all
>>>> 
>>>> 3 of the unencrypted connections are from the personal
>>>> servers of prominent members of the XMPP community (you
>>>> [hopefully] know who you are). A further 2 are domains I'm
>>>> responsible for (and a server upgrade is already scheduled to
>>>> fix them), the remaining ones are gmail.com and Google-hosted
>>>> domains.
> 
> Hmm, those prominent members of the XMPP community need to get
> their act together. ;-)
> 
> In general, one thing that might help is a very clear HOWTO on 
> certificate provisioning, installation, and testing. That way,
> when more domains start requiring secure s2s we'll have a friendly
> manual at which we can point operators.
> 
>> Good idea. Its easy to setup XMPP servers, but certificates etc.
>> are always pain in the b...

Yes, and it's a PITA that I need to fumble with my keys in order to
walk into my house. Security isn't easy. :-)

I do think that a friendly XMPP-certificates HOWTO would help.

> Also helpful might be an automated service (xmpp.net?) that would
> give you a report about your domain's s2s security status, if you
> opt in of course.
> 
>> +1 That would be cool!

OK, that sounds like a fun project. ;-)

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR5aDQAAoJEOoGpJErxa2pvhQP/AwQYfDYoxF71eQOQ2bNvoXU
QaqrGb9vowZonn0JMxxATl9VSGM075eWkYR6I4JRbMzs6f3whmEDYE25+symHKeE
3zcbHYzNffgMcZi/asCHbEbtb0oSLLS6zHPWQn1UKC3m4pUBldGTK7fMXDGiaH4J
o8xWwGaEa3aoL2/C4odQSILx1h6pjt4WmiWokGR0289kwMAWWk0f5YaC8DqUMILb
gnVJsc1EJzd+RMz7hc3BE8FTopvbzqpDDtkJbtVBk3CXXv78BOQT8ijVCGa6WJZG
f/csiF/vYbCtr3iTgp08ZFZGIq4R+mG/D9DDTHXXC5K7sVD/XstidBnOLjGgIgfj
RCKX5tYcnqSFsjTVQVSsGIXqWUHmxNR6BFr2Xc9yWAFu9OHxd7lesu6WwtiJ6WBF
sqtN6X4aUIdY3mT7TxL7nQ5KD8BJ1D+uJganEmJC7aFGwlJ2ZDASHV/163U1LJ9A
glHeRYp+VEYkdCqM+u5opYpWUBIRnX9grAQiKjDD22cLVWBoJZrmWwMkeVkOD/Yo
h58xiG48EZkRYMxxv5SRJJFhfZW0N/8RFw1JTI+EmICCyYNYOmPGy7uEkY+a53H7
/2Lp3LByjkMZflSfpmE16gxWosHcXDeKWAVjXa5nVp/8O2CVIGtXgnk0E+eN/EQS
9ohOalvnCPtHsKuyZiLB
=sKlP
-----END PGP SIGNATURE-----


More information about the JDev mailing list