[Members] intermediate CA proposal
jsiegle at psu.edu
Tue Nov 7 08:29:33 CST 2006
Peter Saint-Andre said the following on 11/6/06 1:49 PM:
> I've been working on a proposal to establish an intermediate CA for the
> XMPP server network:
> Feedback is welcome.
In short, issuing a large number of server certificates is a problem we
would like to have."
Ugh. Now what you said on this web page is good. I think it is worth
mentioning the two different strategies for getting a certificate in
hand and how they compare. I know the CAcert strategy first hand so I'll
talk about it here. Here is their page on the subject :
1.) Register with CAcert
2.) Add the domain to your account
For each domain you need to make sure you can receive e-mail from one
of the following e-mail
addresses(root/hostmaster/postmaster/admin/webmaster). This implies an
existing Sendmail/exim configuration for each domain.
3.) Click on the link that is e-mailed to you and then you can get
certificates for all machines in the domain.
4.)Submit the CSR for the certificate
5.) Certificate is sent via e-mail to you or you can cut and paste the
certificate out of your browser.
To use the certificate you must also get their root CA certificate. That
root certificate expires in 2033.
For SFSCA, I don't have first hand experience so I'll just refer to
section 4 of the proposal and also the ICA policy.
From section 4:
#Authorize certificate issuance only to registered members of the XMPP
Federation and provide details of issued certificates to the SFSCA.
--> This implies that somehow people become registered(Step 1.)
From the ICA policy(p. 6):
The certification master verifies without any reasonable doubt that the
– The domain name or IP address belongs to the requesting party
– The email address belongs to the requesting party
– The Identity of the requesting party including, but not limited to,
Country of Origin,
Name and Addresses of the person making the request, company details and
details SFSCA deems necessary
--> This looks like step 2/3.
For step 4/5, I can't find anything concrete but it seems that you just
goto the website and submit csr/get the certificate.
To use the certificate you must have the StartCom root, our
intermediate, and your certificate. Our intermediate expires in 5 years.
We are given a new one after 4 years and will need to reissue all
I don't know how vhosts + registration works in this system. In the
CAcert process, I believe you need to register each one and have
sendmail/exim setup for all.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3357 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/members/attachments/20061107/f29bcb2a/smime.bin
More information about the Members