[Operators] [Fwd: Re: Secure Communications Week]

Johansson Olle E oej at edvina.net
Fri Aug 15 14:13:20 CDT 2008


15 aug 2008 kl. 20.11 skrev Peter Saint-Andre:

> Peter Saint-Andre wrote:
>> Forwarding a message sent before I fixed a Mailman restriction...
>> ---------- Forwarded message ----------
>> From: Garrett Wollman <wollman at csail.mit.edu <mailto:wollman at csail.mit.edu 
>> >>
>> To: XMPP Operators Group <operators at xmpp.org <mailto:operators at xmpp.org 
>> >>
>> Date: Fri, 15 Aug 2008 13:18:11 -0400
>> Subject: Re: [Operators] Secure Communications Week
>> <<On Fri, 15 Aug 2008 07:59:06 -0600, Peter Saint-Andre
>> <stpeter at stpeter.im <mailto:stpeter at stpeter.im>> said:
>> > How about TLS with self-signed certs + server dialback? At least  
>> that
>> > would give us channel encryption.
>> That's no better than anonymous TLS (without certificates).
>
> This is true. I have two questions:
>
> 1. Is TLS+Dialback better than Dialback without TLS?
Yes. Confidentiality is always an improvement.
>
>
> 2. How *should* we handle certificates that are self-signed, issued  
> by unknown CAs, etc.?

There is a lot we could add in a best-practise document. Self-cigned  
certificates doesn't
belong to a CA, but can still be identified with a fingerprint.  
Postfix (e-mail server) supports
both fingerprints and CA-style certificate handling.

 From reading server manuals and configurations, we could both improve  
configurations
and improve documentation of this in order to make more people install  
certificates and
enable encryption.

Authentication of domains can be assisted by a CA, or by DNS-sec.  
There are options
now to store server-side SSH key fingerprints in DNS, certified by DNS- 
sec. We could
certainly recommend doing the same with XMPP server certificate  
fingerprints and have
that as a "lightweight" option. That won't require a global CA.

Just a few thoughts in response to this mail and other mails.
/O
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2207 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/operators/attachments/20080815/bebc6f95/attachment-0001.bin 


More information about the Operators mailing list