[Operators] wildcard cert

Peter Saint-Andre stpeter at stpeter.im
Mon Feb 22 12:39:49 CST 2010

On 2/22/10 11:27 AM, Jesse Thompson wrote:
> On 2/22/2010 9:41 AM, Peter Saint-Andre wrote:
>> On 2/22/10 8:35 AM, Jesse Thompson wrote:
>>> It looks like StartSSL doesn't offer free wildcard certificates (like
>>> crack, the first hit is free)
>> It did in the old days when we had the XMPP ICA. In fact we were in the
>> process of removing that option for Class 1 certs even for the XMPP ICA
>> because of security problems with wildcard certs. Part of the reasoning
>> behind pulling the plug on the XMPP ICA and redirecting admins to
>> startssl.com was that we'd need to perform stronger verification and
>> that infrastructure was already in place at startssl.com but not at
>> xmpp.net.
> This feels like a bait and switch.  

It is a recognition of the changed security landscape on the net. There
are significant security issues related to wildcard certificates. Would
you like me to find some URLs about those security issues?

> The only reason we bothered with the
> wildcard certificate was because the XMPP ICA made it easy.

IMHO they are still easy at startssl.com, but they are not free because
they are issued only to Class 2 users. As I understand things, it is not
free to become a Class 2 user because identity verification is necessary
and there is more work involved in that (the price is something like $50
for two years IIRC). But I do not speak for StartSSL so feel free to
contact them directly about their policies and pricing. We (the XSF) had
a good relationship with them while we offered xmpp.net but there is no
official relationship any longer.

> Now, we're tempted to just install our certificate which matches the
> server name, and create documentation telling users how to bypass the
> certificate mismatch warnings.  Since Google Apps suffers from the same
> certificate mismatch problem, the reality is that XMPP clients are
> having to create workflows to make it easy for users to bypass the
> errors.  We might as well stick with this clusterf*ck until xmpp-dna or
> xmpp-delegate is implemented.

Yes you can go down that route, sure. Let us know how it goes. :)
Personally I think that provides a poor user experience and I would
avoid it for $25 a year.

>>> Is there a free option for XMPP certificates?
>> There is: startssl.com (Class 1).
> The wildcard certificates are not free, and the verification
> requirements are going to painful for an organization our size.

See above.

>>> If we have to pay, is GoDaddy an option? (they appear to be cheap and
>>> less crappy than StartSSL)
>> Feel free to try out GoDaddy and report back. They are not free as far
>> as I know. I do not have experience with their certs, only their domain
>> registration services.
> hmm... a $200 experiment

I suppose you could investigate CAcert if $25 a year is too much to pay
over at startssl.com.


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100222/88fcf59b/attachment.bin>

More information about the Operators mailing list