[Operators] wildcard cert
jesse.thompson at doit.wisc.edu
Mon Feb 22 14:16:01 CST 2010
On 2/22/2010 12:39 PM, Peter Saint-Andre wrote:
> On 2/22/10 11:27 AM, Jesse Thompson wrote:
>> On 2/22/2010 9:41 AM, Peter Saint-Andre wrote:
>>> On 2/22/10 8:35 AM, Jesse Thompson wrote:
>>>> It looks like StartSSL doesn't offer free wildcard certificates (like
>>>> crack, the first hit is free)
>>> It did in the old days when we had the XMPP ICA. In fact we were in the
>>> process of removing that option for Class 1 certs even for the XMPP ICA
>>> because of security problems with wildcard certs. Part of the reasoning
>>> behind pulling the plug on the XMPP ICA and redirecting admins to
>>> startssl.com was that we'd need to perform stronger verification and
>>> that infrastructure was already in place at startssl.com but not at
>> This feels like a bait and switch.
> It is a recognition of the changed security landscape on the net. There
> are significant security issues related to wildcard certificates. Would
> you like me to find some URLs about those security issues?
I'm aware of the issues with wildcard certificates. I cringed the first
time the XMPP standards foundation offered it as the only practical
solution for virtual domain hosting. I was, and still am, uncomfortable
obtaining a wildcard certificate for an organization as large as ours.
I took solace in the fact that the XMPP ICA certificate authority was
obscure and the certificates were supposed to be used only for XMPP.
Now that that has changed, I feel that wildcard certificates are no
longer a valid alternative for hosting providers that wish to avoid
>> The only reason we bothered with the
>> wildcard certificate was because the XMPP ICA made it easy.
> IMHO they are still easy at startssl.com, but they are not free because
> they are issued only to Class 2 users. As I understand things, it is not
> free to become a Class 2 user because identity verification is necessary
> and there is more work involved in that (the price is something like $50
> for two years IIRC). But I do not speak for StartSSL so feel free to
> contact them directly about their policies and pricing. We (the XSF) had
> a good relationship with them while we offered xmpp.net but there is no
> official relationship any longer.
>> Now, we're tempted to just install our certificate which matches the
>> server name, and create documentation telling users how to bypass the
>> certificate mismatch warnings. Since Google Apps suffers from the same
>> certificate mismatch problem, the reality is that XMPP clients are
>> having to create workflows to make it easy for users to bypass the
>> errors. We might as well stick with this clusterf*ck until xmpp-dna or
>> xmpp-delegate is implemented.
> Yes you can go down that route, sure. Let us know how it goes. :)
> Personally I think that provides a poor user experience and I would
> avoid it for $25 a year.
>>>> Is there a free option for XMPP certificates?
>>> There is: startssl.com (Class 1).
>> The wildcard certificates are not free, and the verification
>> requirements are going to painful for an organization our size.
> See above.
>>>> If we have to pay, is GoDaddy an option? (they appear to be cheap and
>>>> less crappy than StartSSL)
>>> Feel free to try out GoDaddy and report back. They are not free as far
>>> as I know. I do not have experience with their certs, only their domain
>>> registration services.
>> hmm... a $200 experiment
> I suppose you could investigate CAcert if $25 a year is too much to pay
> over at startssl.com.
Division of Information Technology, University of Wisconsin-Madison
Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3317 bytes
Desc: S/MIME Cryptographic Signature
More information about the Operators