[Operators] [Fwd: Re: Secure Communications Week]

Peter Saint-Andre stpeter at stpeter.im
Fri Aug 15 16:57:17 CDT 2008


Johansson Olle E wrote:
> 
> 15 aug 2008 kl. 20.11 skrev Peter Saint-Andre:
> 
>> Peter Saint-Andre wrote:
>>> Forwarding a message sent before I fixed a Mailman restriction...
>>> ---------- Forwarded message ----------
>>> From: Garrett Wollman <wollman at csail.mit.edu 
>>> <mailto:wollman at csail.mit.edu>>
>>> To: XMPP Operators Group <operators at xmpp.org 
>>> <mailto:operators at xmpp.org>>
>>> Date: Fri, 15 Aug 2008 13:18:11 -0400
>>> Subject: Re: [Operators] Secure Communications Week
>>> <<On Fri, 15 Aug 2008 07:59:06 -0600, Peter Saint-Andre
>>> <stpeter at stpeter.im <mailto:stpeter at stpeter.im>> said:
>>> > How about TLS with self-signed certs + server dialback? At least that
>>> > would give us channel encryption.
>>> That's no better than anonymous TLS (without certificates).
>>
>> This is true. I have two questions:
>>
>> 1. Is TLS+Dialback better than Dialback without TLS?
> Yes. Confidentiality is always an improvement.

Agreed. As long as people know what they're doing. :)

>> 2. How *should* we handle certificates that are self-signed, issued by 
>> unknown CAs, etc.?
> 
> There is a lot we could add in a best-practise document. Self-cigned 
> certificates doesn't
> belong to a CA, but can still be identified with a fingerprint. Postfix 
> (e-mail server) supports
> both fingerprints and CA-style certificate handling.

Yes it would be good to see how this is handled in mail servers.

>  From reading server manuals and configurations, we could both improve 
> configurations
> and improve documentation of this in order to make more people install 
> certificates and
> enable encryption.
> 
> Authentication of domains can be assisted by a CA, or by DNS-sec. There 
> are options
> now to store server-side SSH key fingerprints in DNS, certified by 
> DNS-sec. We could
> certainly recommend doing the same with XMPP server certificate 
> fingerprints and have
> that as a "lightweight" option. That won't require a global CA.

I suppose one question is: how do you check fingerprints? Do you find 
contact information for the hostmaster and call him on the phone? Does 
XMPP traffic get queued up while you do that? Do you refuse the 
connection and flag the s2s request for action by the xmpp admin? And is 
all that really easier in the end than requesting a cert at xmpp.net?

So yes, a best practices document seems like a good idea...

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080815/694b0170/attachment-0001.bin 


More information about the Operators mailing list