[Operators] requiring channel encryption

Maissel, Joe joe.maissel at credit-suisse.com
Wed Apr 30 06:45:54 CDT 2008


Is there an SRV record to distinguish tls from non-tls s2s services?
--------------------------
Sent using BlackBerry


----- Original Message -----
From: operators-bounces at xmpp.org <operators-bounces at xmpp.org>
To: XMPP Operators Group <operators at xmpp.org>
Sent: Tue Apr 29 20:52:39 2008
Subject: Re: [Operators] requiring channel encryption

On 29-Apr-2008, at 16:50, Peter Saint-Andre wrote:
> The jabber.org admin team has been discussing the option of requiring
> STARTTLS (or legacy SSL on port 5223) for client-to-server  
> connections,
> and STARTTLS for server-to-server connections. I'm wondering:
>
> 1. Are any other XMPP services doing this right now (for c2s or s2s or
> both)?

	I think mandating TLS for c2s is a mistake. At the edges of the  
network, it should really be up to the local operators and their  
conditions. There are /lots/ of networks that have absolutely no need  
for it.

	s2s is a different animal. If you allow self-signed certs, I'm sure  
compliance wouldn't be much of a problem. It's useful to encrypt, but  
without authentication, I'm not sure if it's all that much of a net- 
win. Man-in-the-middle becomes trivial, so you'd really only stop the  
bottom rung. Getting free certs can work, but can also not, depending  
on verification process. I'm really not sure what the correct solution  
is here. I don't want to out the gal putting up ejabberd on a server  
in her basement from the process, but if we're going to go the  
encryption/trust route, it should be relatively secure.

	Perhaps TLS is just the wrong answer for building trust networks on  
the Internet, and we should try to think of something fundamentally  
different.

> 3. What is your guess as to the percentage of XMPP services that won't
> be able to connect to jabber.org for s2s when we make this change  
> (even
> if we accept self-signed certificates)? ;-)

	A small percentage if you accept self-signed. To segue back to a  
previous thread, I think it would be useful to put up a test server  
which accepts self-signed, and have jabber.org only accept verified  
roots. It's just not that hard to get a cert for no (or almost no)  
cost. When you're ready to put it up in front of the public, it's the  
least you can do.

	This way, you get the best of both worlds. While you're testing you  
can just whip up some certs. When you're ready to go live you get some  
"real" ones.

	Naturally, jabber.org might not have the funding for such a service.  
If no one else out there can donate their time and hardware (I can't),  
perhaps we can put a small fund together for maintenance? I can,  
however, provide the initial development (gratis), as I'm sure many  
others could as well.

	The only problems I see are what to do with XMPP hosting providers.  
If you want to host a large number of domains, requiring TLS on s2s  
can get really unwieldy. DNS issues make trusting SRV records  
problematic as well. So, again, no better solution.

Regards,

-bjc


==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer: 

http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.jabber.org/pipermail/operators/attachments/20080430/bb3fc723/attachment.htm 


More information about the Operators mailing list