[Members] XMPP and DNSSEC

Dave Cridland dave at cridland.net
Fri Jan 17 21:32:59 UTC 2014


On 17 Jan 2014 18:27, "Simon Tennant" <simon at buddycloud.com> wrote:
>
> On 17 January 2014 13:39, Dave Cridland <dave at cridland.net> wrote:
>>>
>>> multi-tenant XMPP hosting + security isn't possible
>>
>> That's incorrect; it's generally made more difficult by services having
to have valid certificates for the domain hosted, which is quite difficult
for large third-party hosting providers. It is absolutely NOT impossible,
though, and large scale HTTP providers do just this.
>
>
> How do you propose the hosting provider vouch for you without handing
over your private key?

As I say, large scale HTTP providers work in exactly this way. "Impossible"
is too strong a word here. FWIW, Google's main concern was not holding the
keying material, but the logistics of holding certificates for all the
domains, as I recall.

The particular issue you're referring to can also be solved by POSH,
incidentally.

I'm hugely in favour of DNSSEC and DANE-for-SRV, by the way, I'm just keen
to ensure we all know what problems they address, and how.

>>>
>>> How do we help operators deploy with DNSSEC?
>>
>> Well, assuming by "we", you mean the XSF, I think we should first poll
the members to see if they want the XSF to be involved here.
>
>
> I hardly think that volunteering to help write up specs and guides for
implementation (voluntarily) is onerous enough to requires members
referendums. If it really is, we should also ballot on whether the XSF will
return the ISCO's very generous grant to work on DNSSEC.

Well, first and foremost, the Internet Society has not given us a grant to
work on DNSSEC. They have, very kindly, given us a gift based on our past
work toward security. As Peter said in the last Board meeting:

[16:58:54] stpeter: Simon: BTW, we can apply for another grant specifically
about DNSSEC — the existing one was just to recognize us for being good
people doing good work

So while we can certainly figure out DNSSEC work to do, and should this
work actually need some cash, we may be able to get it from ISOC, but ISOC
is not expecting the money they've given us back - it's for the work we've
already done in security. (And in fact, it's the XSF getting money for work
the community has done under our leadership, really). So I don't think
there's any worry we're about to lose two-thirds of our current cash
reserves if we don't do something about DNSSEC. :-)

Secondly, although the specification work here is mostly the domain of the
IETF, I agree the XSF can and should be promoting writing implementation
guides to a lot of XMPP technologies - we've a lot of blank pages on the
Wiki specifically aimed at these, in fact - but nobody's filling them in.
Asking the wider community is probably a good idea here - it's not clear
the membership can, or should, be the place to get stuff like this written.

Thirdly, we had this debate in Portland about Peter's Manifesto, Matt's
registration thing, and so on, and I argued these things would be better
done under the auspices of the XSF - and I lost that argument, and my
take-home from that was that the vast majority of people felt the XSF
should be aimed exclusively at developers. I don't see a vast difference
between pushing operators to deploy DNSSEC and pushing operators to deploy
TLS, and as such, I don't see how the XSF can take it on. If I'm wrong in
this, I'd really appreciate knowing - I assumed that was the reason that
during the Board meeting when you raised this, it was suggested you send it
to standards@ or jdev@ rather than here.

In fact, I thought you'd argued against me in Portland. If you've changed
your mind, that's great, but I hate reopening debates without really
compelling reason. I'm not sure this effort counts as new evidence, but if
you feel you want to reopen it, go ahead - in the meantime, my
understanding is that the XSF has to focus on developers only, despite my
personal opinions.

In the meantime, I would recommend that if you're looking for volunteers to
push DNSSEC toward operators, you should address either jdev@ (to get the
implementors involved) or operators@ (to get the deployment up). I'd have
no argument *at all* with you doing so.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/members/attachments/20140117/5b807327/attachment.html>


More information about the Members mailing list