[Members] PayPal links

Jonathan Schleifer js-xmpp-members at webkeks.org
Wed May 20 10:19:39 CDT 2009


Am 20.05.2009 um 17:10 schrieb Peter Saint-Andre:

> Feel free to recommend other CAs that would enable us to be an
> Intermediate CA at a reasonable cost. When I did this research several
> years ago, there were no such options.

I have to admit that I haven't looked for this yet. Didn't know the  
situation is that bad.

>> Well, the cert you get is not really comparable to the certs they  
>> sell
>> :/. If you want to use your XMPP StartCom Cert for example for your
>> website as well, you will get a warning in every browser, as they  
>> use a
>> different Root CA for that.
>
> The certs issued by the XMPP ICA are for XMPP services, not HTTP
> services. That's why it's called the XMPP ICA.

Yeah, but we actually *PAY* StartCom for certs with a RootCA that is  
listed nowhere. We could have our own RootCA that is listed nowhere as  
well for free.

>> So it's as useful as using some other
>> service that's free, but not listed in the Root CAs of the 4 big
>> browsers.
>
> The StartCom root is included in Mozilla, OS X, various Linux distros,
> etc. StartCom is also working hard on inclusion into Windows.

Last time I checked, the XMPP StartCom certificates did not even use  
their RootCA. They had a new RootCA for this, which was in *NO*  
browser and *NO* OS at all. Even most XMPP-Clients did not include it.  
For example, Psi gave a big, fat warning.

So, basically, they created a new RootCA for the XMPP Certificates  
which is not in any browser or OS and it seems not even in most XMPP  
Clients. We could have the same by just creating an XSF RootCA.

> There are two different StartCom roots, the old one and the new one.  
> We
> need to transition the XMPP ICA to use the new one. I am not sure  
> which
> root cert is supported in Mozilla, but I thought it was the old one  
> (the
> Mozilla folks will need to do the same upgrade we're doing). I can  
> check
> on this.

When I checked the XMPP StartCom Certs the last time, they we're using  
neither the old nor the new one, but a completely different CA. If the  
XSF would create a RootCA and sign certs sent in, it would be  
basically the same, but free.

> BTW I thought you didn't care about SSL/TLS anyway, so what's the  
> fuss?

For s2s, as the actual messages should be encrypted rather than the  
s2s connection and you can't rely on s2s encryption anyway (seriously,  
who even checks the certificates for s2s TLS? Most don't). But this is  
something which we will only get in the future.

--
Jonathan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: Signierter Teil der Nachricht
URL: <http://mail.jabber.org/pipermail/members/attachments/20090520/6fcc8ea4/attachment.pgp>


More information about the Members mailing list