[Operators] wildcard cert

Jesse Thompson jesse.thompson at doit.wisc.edu
Mon Feb 22 12:27:31 CST 2010


On 2/22/2010 9:41 AM, Peter Saint-Andre wrote:
> On 2/22/10 8:35 AM, Jesse Thompson wrote:
>> It looks like StartSSL doesn't offer free wildcard certificates (like
>> crack, the first hit is free)
>
> It did in the old days when we had the XMPP ICA. In fact we were in the
> process of removing that option for Class 1 certs even for the XMPP ICA
> because of security problems with wildcard certs. Part of the reasoning
> behind pulling the plug on the XMPP ICA and redirecting admins to
> startssl.com was that we'd need to perform stronger verification and
> that infrastructure was already in place at startssl.com but not at
> xmpp.net.

This feels like a bait and switch.  The only reason we bothered with the 
wildcard certificate was because the XMPP ICA made it easy.

Now, we're tempted to just install our certificate which matches the 
server name, and create documentation telling users how to bypass the 
certificate mismatch warnings.  Since Google Apps suffers from the same 
certificate mismatch problem, the reality is that XMPP clients are 
having to create workflows to make it easy for users to bypass the 
errors.  We might as well stick with this clusterf*ck until xmpp-dna or 
xmpp-delegate is implemented.


>> Is there a free option for XMPP certificates?
>
> There is: startssl.com (Class 1).

The wildcard certificates are not free, and the verification 
requirements are going to painful for an organization our size.


>> If we have to pay, is GoDaddy an option? (they appear to be cheap and
>> less crappy than StartSSL)
>
> Feel free to try out GoDaddy and report back. They are not free as far
> as I know. I do not have experience with their certs, only their domain
> registration services.

hmm... a $200 experiment

-- 
   Jesse Thompson
   Division of Information Technology, University of Wisconsin-Madison
   Email/IM: jesse.thompson at doit.wisc.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3317 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100222/10983519/attachment.bin>


More information about the Operators mailing list