[Operators] public XMPP service: [jabber.sk]

Peter Saint-Andre stpeter at stpeter.im
Tue Nov 17 13:57:28 CST 2009


If every XMPP server runs its own CA, then how is that different from
every XMPP server offering a self-signed certificate? All of the certs
will be issued by unknown authorities, thus making life difficult for
end users (those scary security warnings!) and reducing the
effectiveness of using common CAs (which can be bundled into operating
systems or cert-stores and therefore re-used by clients and servers).

On 11/14/09 2:44 PM, Peter Viskup wrote:
> I forgot to solve this.
> I have that in ToDo list - I will issue new cert with "Subject
> Alternative Name" soon. I just need to find some free time ;-).
> I do not have any objections for using our own CA - we just run our own
> 'Osiris CA' for all services running on our server. I hope that this
> will be not a difficulty to list jabber.sk in your 'Public services list'.
> 
> Regards,
> Peter Viskup
> 
> Peter Saint-Andre wrote:
> On 8/8/09 8:06 PM, Peter Viskup wrote:
> 
>  
>>>> - CA: [Osiris CA] (CA certificates available on https://ca.osiris.sk/)
>>>>     
> 
> When I visit https://ca.osiris.sk/ my browser shows me the following
> warning:
> 
>    ca.osiris.sk uses an invalid security certificate.
> 
>    The certificate is not trusted because the issuer certificate
>    is unknown.
> 
>    The certificate is only valid for *.jabber.sk
> 
> So we seem to have circular trust here (basically, a self-signed
> certificate).
> 
> Do you have objections to using a certificate from a recognized CA, such
> as StartCom or even CAcert?
> 
> Peter
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20091117/be60da62/attachment.bin>


More information about the Operators mailing list