[Members] intermediate CA

Peter Saint-Andre stpeter at jabber.org
Wed Aug 16 13:23:47 CDT 2006

This is the first in a series of posts about some new initiatives I've
been thinking about, new ways for JSF members to help out, etc. More
posts to follow soon...


As you may know from my blog posts and such, I think it is a priority
for us to improve the security characteristics of the Jabber/XMPP
network. One way we can do that is to make it much easier and cheaper
for server administrators to obtain proper X.509 certificates that
contain all the right XMPP bits in them (see section 5.1.1 of RFC 3920).
We have our TLS and SASL protocols defined and the server software out
there (mostly) supports those, but right now it is way too hard for
server admins to obtain certificates. I have been talking about this for
the last ~2 months with StartCom:


They have a Linux distribution, they are working hard on establishing a
serious but inexpensive certification authority, and they have been very
helpful and encouraging. Also it doesn't hurt that they have passed
their CA audits and thus their root cert is now or will soon be included
in a number of browsers and OSes:


They have the infrastructure that will enable the JSF to become an
intermediate certification authority (ICA) and thus to offer very
inexpensive certificates to XMPP server administrators (without us
needing to run our own CA -- they will worry about all that). I envision
us doing this through the XMPP Federation site at www.xmpp.net (which we
would brand as an initiative of the JSF). What we would probably do is
eat the cost at the JSF so that server admins can obtain free domain
certificates. Once we have that set up, we might also work on making it
possible for end users to obtain the right X.509 certs as well. I'm
currently working with StartCom to scope out what this would cost and
will come back to the membership and the Board soon with an official
proposal. Note that this would not be an exclusive arrangement with
StartCom, but I think it would be a good way to get started and pave the
path for working with other CAs in the future.

Feedback and questions are welcome as always.


Peter Saint-Andre
Jabber Software Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/members/attachments/20060816/0e29024f/smime-0001.bin

More information about the Members mailing list