[Members] XMPP and DNSSEC

Peter Saint-Andre stpeter at stpeter.im
Fri Feb 28 00:10:53 UTC 2014


On 1/17/14, 2:32 PM, Dave Cridland wrote:
>
> On 17 Jan 2014 18:27, "Simon Tennant" <simon at buddycloud.com
> <mailto:simon at buddycloud.com>> wrote:
>  >
>  > On 17 January 2014 13:39, Dave Cridland <dave at cridland.net
> <mailto:dave at cridland.net>> wrote:
>  >>>
>  >>> multi-tenant XMPP hosting + security isn't possible
>  >>
>  >> That's incorrect; it's generally made more difficult by services
> having to have valid certificates for the domain hosted, which is quite
> difficult for large third-party hosting providers. It is absolutely NOT
> impossible, though, and large scale HTTP providers do just this.
>  >
>  >
>  > How do you propose the hosting provider vouch for you without handing
> over your private key?
>
> As I say, large scale HTTP providers work in exactly this way.
> "Impossible" is too strong a word here. FWIW, Google's main concern was
> not holding the keying material, but the logistics of holding
> certificates for all the domains, as I recall.

Well, I have talked with someone Akamai and they have exactly this same 
problem. I don't know how they solve it, or if they do, because this 
person said they could really use something like POSH for HTTPS, but of 
course then it's turtles all the way down since POSH bootstraps off HTTPS.

Peter



More information about the Members mailing list