[Members] XMPP ICA (was: Re: PayPal links)

Peter Saint-Andre stpeter at stpeter.im
Wed May 20 10:35:45 CDT 2009

Hash: SHA1

On 5/20/09 9:19 AM, Jonathan Schleifer wrote:
> Am 20.05.2009 um 17:10 schrieb Peter Saint-Andre:
>> Feel free to recommend other CAs that would enable us to be an
>> Intermediate CA at a reasonable cost. When I did this research several
>> years ago, there were no such options.
> I have to admit that I haven't looked for this yet. Didn't know the
> situation is that bad.

What other CAs would you look at? VeriSign, Equifax, etc. are very very
expensive. The only other relatively inexpensive and widely available CA
that I know of is GoDaddy, but at the time they didn't support ICAs, but
I think that has changed now.

>>> Well, the cert you get is not really comparable to the certs they sell
>>> :/. If you want to use your XMPP StartCom Cert for example for your
>>> website as well, you will get a warning in every browser, as they use a
>>> different Root CA for that.
>> The certs issued by the XMPP ICA are for XMPP services, not HTTP
>> services. That's why it's called the XMPP ICA.
> Yeah, but we actually *PAY* StartCom for certs with a RootCA that is
> listed nowhere. We could have our own RootCA that is listed nowhere as
> well for free.

Why do you say that the StartCom root is "listed nowhere"? It is
supported in Mozilla, OS X, etc.

Now, I freely admit that the XMPP ICA is currently using the *old*
StartCom root. StartCom keeps poking me about upgrading, so the fault
might be mine that we haven't done so yet.

>>> So it's as useful as using some other
>>> service that's free, but not listed in the Root CAs of the 4 big
>>> browsers.
>> The StartCom root is included in Mozilla, OS X, various Linux distros,
>> etc. StartCom is also working hard on inclusion into Windows.
> Last time I checked, the XMPP StartCom certificates did not even use
> their RootCA. They had a new RootCA for this, which was in *NO* browser
> and *NO* OS at all. 

I don't think that's correct.

> Even most XMPP-Clients did not include it. 

At the beginning, no. It has been a multi-year effort to encourage XMPP
client and server developers to support the certificates issued by the
XMPP ICA. In fact, before we started issuing these certificates it was
difficult for server operators to install proper certificates, so we
found a lot of bugs in server code (not presenting the entire cert
chain), clients didn't warn users about bad certs, etc. Thank you for so
clearly expressing your appreciation for all of the hard work that has
gone into this effort at the XMPP ICA and the various code projects. I'm
sorry that we have not achieved perfection yet, but this stuff takes time.

> For
> example, Psi gave a big, fat warning.

You must have tested an older version of Psi. Psi 0.11 and above has
full support for the certificates issued by the XMPP ICA.

> So, basically, they created a new RootCA for the XMPP Certificates which
> is not in any browser or OS and it seems not even in most XMPP Clients.

I think that you are confusing the root cert with the intermediate cert.
Please specify the complete cert chain and where you think the problem lies.

> We could have the same by just creating an XSF RootCA.

And take on the liability and management burden of running a CA? We
decided against that approach years ago. However, feel free to introduce
it as a topic for discussion among the membership, and describe how the
XSF can manage such an effort, the infrastructure required, etc. The XSF
is open to operational proposals like this, just follow the format of
the documents at http://xmpp.org/xsf/proposals/

>> There are two different StartCom roots, the old one and the new one. We
>> need to transition the XMPP ICA to use the new one. I am not sure which
>> root cert is supported in Mozilla, but I thought it was the old one (the
>> Mozilla folks will need to do the same upgrade we're doing). I can check
>> on this.
> When I checked the XMPP StartCom Certs the last time, they we're using
> neither the old nor the new one, but a completely different CA. 

I don't think that's right, but I will check.

> If the
> XSF would create a RootCA and sign certs sent in, it would be basically
> the same, but free.

TANSTAAFL. We'd be paying somehow -- for a new machine to house the CA,
for management processes, for work to ensure that we are in line with
industry best practices, for audits, etc. I am not convinced that
running a CA is within our core competencies. But feel free to write a
proposal for consideration by the membership.


- --
Peter Saint-Andre

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Members mailing list