[Members] intermediate CA proposal

Peter Saint-Andre stpeter at jabber.org
Tue Nov 7 15:00:01 CST 2006

Jonathan Siegle wrote:
> Peter Saint-Andre said the following on 11/6/06 1:49 PM:
>> I've been working on a proposal to establish an intermediate CA for the
>> XMPP server network:
>> http://www.jabber.org/jsf/ica-proposal.html
>> Feedback is welcome.
>> Peter
> "
> In short, issuing a large number of server certificates is a problem we
> would like to have."
> Ugh. Now what you said on this web page is good. I think it is worth
> mentioning the two different strategies for getting a certificate in
> hand and how they compare. I know the CAcert strategy first hand so I'll
> talk about it here. Here is their page on the subject :
> http://www.cacert.org/help.php?id=6 .
> 1.) Register with CAcert
> 2.) Add the domain to your account
>     For each domain you need to make sure you can receive e-mail from
> one of the following e-mail
> addresses(root/hostmaster/postmaster/admin/webmaster). This implies an
> existing Sendmail/exim configuration for each domain.
> 3.) Click on the link that is e-mailed to you and then you can get
> certificates for all machines in the domain.
> 4.)Submit the CSR for the certificate
> 5.) Certificate is sent via e-mail to you or you can cut and paste the
> certificate out of your browser.
> To use the certificate you must also get their root CA certificate. That
> root certificate expires in 2033.


> For SFSCA, I don't have first hand experience so I'll just refer to
> section 4 of the proposal and also the ICA policy.
> From section 4:
> #Authorize certificate issuance only to registered members of the XMPP
> Federation and provide details of issued certificates to the SFSCA.
>     -->  This implies that somehow people become registered(Step 1.)

Yes, people (to start, server admins) would register through our process
at https://www.xmpp.net/

> From the ICA policy(p. 6):
> The certification master verifies without any reasonable doubt that the
> following details
> are correct:
> – The domain name or IP address belongs to the requesting party
> – The email address belongs to the requesting party
> – The Identity of the requesting party including, but not limited to,
> Country of Origin,
> Name and Addresses of the person making the request, company details and
> any other
> details SFSCA deems necessary

BTW, my understanding is that the certification master is an SFSCA
function, not a JSF function. That is, you request a certificate from
SFSCA (but perhaps via a web interface available from xmpp.net). We're
just an intermediate CA, not the root.

> For step 4/5, I can't find anything concrete but it seems that you just
> goto the website and submit csr/get the certificate.

I think so, yes.

> To use the certificate you must have the StartCom root, our
> intermediate, and your certificate. 

Right. Presumably we'd work with server and client projects to include
the StartCom root in their software, or depend on existing cert stores.
The StartCom root is in Mozilla now and I think it will be in Mac OS X
10.5 (Leopard), as well as some other Linux/Unix distros. But the
timeline for Windows is indeterminate.

> Our intermediate expires in 5 years.
> We are given a new one after 4 years and will need to reissue all
> certificates.


> I don't know how vhosts + registration works in this system. In the
> CAcert process, I believe you need to register each one and have
> sendmail/exim setup for all.

I think that's right -- you'd need access to hostmaster at domain or one of
the other approved (RFC 2142) addresses. And maybe also be listed in the
whois information.


Peter Saint-Andre
Jabber Software Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/members/attachments/20061107/99f8df5c/smime.bin

More information about the Members mailing list