[Operators] domain hosting and certificates

Jesse Thompson jesse.thompson at doit.wisc.edu
Mon Mar 10 09:07:26 CDT 2008


Florian Jensen wrote:
> Hi,
> 
> I don't see the main problem being the clients. We plan on hosting many 
> domains on our new Dynamic Cluster for XMPP, so this topic is very 
> interesting for me.

Well, the clients are only a problem when you want to use mismatched 
certificates.  It would be *helpful* if the clients would provide a 
friendly interface that allows users to say: yes, I trust 
foo.hosting.provider when connecting to my.domain.org


> We use the Certificates from the XSF-ICA. I would like to have some type 
> of account where I can manage 300 Certificates or more, check their 
> Expiry Date, and renew them. Also create new Certificate without filling 
> out all information again.

Yes, I agree.  This process does not scale well.


> Then there is the problem of mail verification. What do you guys do when 
> you create certificates? We don't host all the domains which are on the 
> XMPP Cluster. Mail verification to hostmaster@ etc. is not possible in 
> that case.

They accept postmaster@ as valid authorization.  Most of our domain 
administrators delegate their postmaster duties back to us.  For those 
that don't, I expect that they would have to forward the verification 
message.


> How do you guys manage this?

We don't.  We're hoping that a less labor intensive solution will 
present itself.  Until then, we are using one signed certificate, and 
dealing with the client/usability blowback.

Jesse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080310/c4a2d30f/attachment.bin 


More information about the Operators mailing list