[Members] XMPP ICA (was: Re: PayPal links)

Jonathan Schleifer js-xmpp-members at webkeks.org
Wed May 20 12:37:21 CDT 2009

Am 20.05.2009 um 17:35 schrieb Peter Saint-Andre:

> What other CAs would you look at? VeriSign, Equifax, etc. are very  
> very
> expensive. The only other relatively inexpensive and widely  
> available CA
> that I know of is GoDaddy, but at the time they didn't support ICAs,  
> but
> I think that has changed now.

Does it need to be one of the well-known ones? It wouldn't make any  
difference, see below why.

>> Yeah, but we actually *PAY* StartCom for certs with a RootCA that is
>> listed nowhere. We could have our own RootCA that is listed nowhere  
>> as
>> well for free.
> Why do you say that the StartCom root is "listed nowhere"? It is
> supported in Mozilla, OS X, etc.

Well, I think we got a misunderstanding here.

When you request a StartCom cert the normal way, you get one signed by  
their Root CA.
Last time I tried to get an XMPP StartCom cert, it used a different  
Root CA, which was labeled "StartCom XMPP ICA" or something like this.

So, it seems we got 3 RootCAs here: The old StartCom one, the new  
StartCom one and the XMPP StartCom one. The old and the new StartCom  
one might be in some browsers and other apps. The XMPP StartCom one  
wasn't. I don't know if this has changed, because it's a long time  
since I tried the XMPP StartCom certificate.

> Now, I freely admit that the XMPP ICA is currently using the *old*
> StartCom root. StartCom keeps poking me about upgrading, so the fault
> might be mine that we haven't done so yet.

So actually we can change to their normal RootCAs? Because last time I  
requested an XMPP StartCom certificate, it was signed by some other  
RootCA that was just for XMPP.

>> Last time I checked, the XMPP StartCom certificates did not even use
>> their RootCA. They had a new RootCA for this, which was in *NO*  
>> browser
>> and *NO* OS at all.
> I don't think that's correct.

It;'s been a long time, so it's possible that this changed.

>> Even most XMPP-Clients did not include it.
> At the beginning, no. It has been a multi-year effort to encourage  
> client and server developers to support the certificates issued by the
> XMPP ICA. In fact, before we started issuing these certificates it was
> difficult for server operators to install proper certificates, so we
> found a lot of bugs in server code (not presenting the entire cert
> chain), clients didn't warn users about bad certs, etc. Thank you  
> for so
> clearly expressing your appreciation for all of the hard work that has
> gone into this effort at the XMPP ICA and the various code projects.  
> I'm
> sorry that we have not achieved perfection yet, but this stuff takes  
> time.

This was not criticism to your efforts. I just wanted to say: If we  
need to spend time to get the clients and servers to include it, we  
might as well create our own CA and try to get that included. This  
won't cost us anything.

>> For
>> example, Psi gave a big, fat warning.
> You must have tested an older version of Psi. Psi 0.11 and above has
> full support for the certificates issued by the XMPP ICA.

As I said, this was some time ago. Even 0.10 was only in SVN back then  
and even that gave a warning back then :).

>> So, basically, they created a new RootCA for the XMPP Certificates  
>> which
>> is not in any browser or OS and it seems not even in most XMPP  
>> Clients.
> I think that you are confusing the root cert with the intermediate  
> cert.
> Please specify the complete cert chain and where you think the  
> problem lies.

Guess I have to have a new look at this, maybe it was fixed now.

>> We could have the same by just creating an XSF RootCA.
> And take on the liability and management burden of running a CA? We
> decided against that approach years ago. However, feel free to  
> introduce
> it as a topic for discussion among the membership, and describe how  
> the
> XSF can manage such an effort, the infrastructure required, etc. The  
> is open to operational proposals like this, just follow the format of
> the documents at http://xmpp.org/xsf/proposals/

This might indeed be an idea, especially as many complain that the XSF  
membership means "doing nothing besides some voting".

>> When I checked the XMPP StartCom Certs the last time, they we're  
>> using
>> neither the old nor the new one, but a completely different CA.
> I don't think that's right, but I will check.

Ok, hopefully they fixed it. If they did, I might try it again :).

>> If the
>> XSF would create a RootCA and sign certs sent in, it would be  
>> basically
>> the same, but free.
> TANSTAAFL. We'd be paying somehow -- for a new machine to house the  
> CA,
> for management processes, for work to ensure that we are in line with
> industry best practices, for audits, etc. I am not convinced that
> running a CA is within our core competencies. But feel free to write a
> proposal for consideration by the membership.

Why would we need a new machine? For the revoke list? There aren't so  
many servers that it's impossible that one or a few individuals got  
the RootCA's private key and then unsigned certs are sent to them for  
signing, right? We don't need to open something that's as big as for  
example StartCom.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: Signierter Teil der Nachricht
URL: <http://mail.jabber.org/pipermail/members/attachments/20090520/f49e59d8/attachment.pgp>

More information about the Members mailing list