[Members] intermediate CA proposal

Jonathan Siegle jsiegle at psu.edu
Tue Nov 7 08:29:33 CST 2006


Peter Saint-Andre said the following on 11/6/06 1:49 PM:
> I've been working on a proposal to establish an intermediate CA for the
> XMPP server network:
> 
> http://www.jabber.org/jsf/ica-proposal.html
> 
> Feedback is welcome.
> 
> Peter
> 



"
In short, issuing a large number of server certificates is a problem we 
would like to have."

Ugh. Now what you said on this web page is good. I think it is worth 
mentioning the two different strategies for getting a certificate in 
hand and how they compare. I know the CAcert strategy first hand so I'll 
talk about it here. Here is their page on the subject : 
http://www.cacert.org/help.php?id=6 .

1.) Register with CAcert
2.) Add the domain to your account
	For each domain you need to make sure you can receive e-mail from one 
of the following e-mail 
addresses(root/hostmaster/postmaster/admin/webmaster). This implies an 
existing Sendmail/exim configuration for each domain.
3.) Click on the link that is e-mailed to you and then you can get 
certificates for all machines in the domain.
4.)Submit the CSR for the certificate
5.) Certificate is sent via e-mail to you or you can cut and paste the 
certificate out of your browser.

To use the certificate you must also get their root CA certificate. That 
root certificate expires in 2033.



For SFSCA, I don't have first hand experience so I'll just refer to 
section 4 of the proposal and also the ICA policy.

 From section 4:
#Authorize certificate issuance only to registered members of the XMPP 
Federation and provide details of issued certificates to the SFSCA.
	-->  This implies that somehow people become registered(Step 1.)


 From the ICA policy(p. 6):
The certification master verifies without any reasonable doubt that the 
following details
are correct:
– The domain name or IP address belongs to the requesting party
– The email address belongs to the requesting party
– The Identity of the requesting party including, but not limited to, 
Country of Origin,
Name and Addresses of the person making the request, company details and 
any other
details SFSCA deems necessary

	-->  This looks like step 2/3.


For step 4/5, I can't find anything concrete but it seems that you just 
goto the website and submit csr/get the certificate.

To use the certificate you must have the StartCom root, our 
intermediate, and your certificate. Our intermediate expires in 5 years. 
We are given a new one after 4 years and will need to reissue all 
certificates.


I don't know how vhosts + registration works in this system. In the 
CAcert process, I believe you need to register each one and have 
sendmail/exim setup for all.


Jonathan









-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3357 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/members/attachments/20061107/f29bcb2a/smime.bin


More information about the Members mailing list