[Operators] Secure Communications Week

Peter Saint-Andre stpeter at stpeter.im
Fri Aug 15 11:12:42 CDT 2008

Johansson Olle E wrote:
> 15 aug 2008 kl. 18.00 skrev Peter Saint-Andre:
>> Johansson Olle E wrote:
>>> 15 aug 2008 kl. 17.36 skrev Peter Saint-Andre:
>>>> David Horwitz wrote:
>>>>> Hi All,
>>>>> I just was looking at registering our service at www.xmpp.net Is 
>>>>> there  any reason why xmpp@[domain] is not a valid verification 
>>>>> address? Being a large university all the other addresses are 
>>>>> handled by other departments....
>>>> Yes, I know. That policy is set by the root CA we use (StartCom) and 
>>>> we don't have any control over it, since we're just an intermediate CA.
>>> It's the same as for Geotrust's SSL certificates. In order to confirm 
>>> your domain, they want you to prove that you are in control of the 
>>> mail flow. That's why they only have a short list of pre-defined mail 
>>> addresses to choose from.
>>> For Geotrust, it's webmaster and sslmaster. Could propably add 
>>> "xmppmaster" as well, but that's something that we only can suggest 
>>> from the community side.
>> For StartCom it's hostmaster, postmaster, and webmaster, in accordance 
>> with RFC 2142. RFC 3920 mentions the xmpp@ address, but that it not 
>> accepted by StartCom as an official email address. I suppose I could 
>> work with them on that. :)
> Well, as you have nothing to do, that could be an interesting way to 
> spend your time. An alternative could be running against the well a few 
> times. I don't know what gives more result, but trying to talk with a 
> commercial CA is certainly an interesting experience to tell your 
> grand-kids about one evening in front of the  fireplace... Good luck!

Well we work directly with StartCom and they are very easy to deal with 
(maybe it helps that the XSF pays them money), but I think that adding a 
new verification address would require changes to their policy documents 
and they might not want to do that for auditing purposes.

In any case, in my experience only a small percentage of admins are 
bothered by this policy (mostly at universities), and the solution is 
more of a PITA than an impossible hurdle (make nice to the postmaster).

The bigger problem I've found is that many important TLDs don't offer a 
native whois service, and that's also required by StartCom. More here:



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080815/2ce170a3/attachment.bin 

More information about the Operators mailing list