[Operators] wildcard cert

Jesse Thompson jesse.thompson at doit.wisc.edu
Mon Feb 22 14:16:01 CST 2010

On 2/22/2010 12:39 PM, Peter Saint-Andre wrote:
> On 2/22/10 11:27 AM, Jesse Thompson wrote:
>> On 2/22/2010 9:41 AM, Peter Saint-Andre wrote:
>>> On 2/22/10 8:35 AM, Jesse Thompson wrote:
>>>> It looks like StartSSL doesn't offer free wildcard certificates (like
>>>> crack, the first hit is free)
>>> It did in the old days when we had the XMPP ICA. In fact we were in the
>>> process of removing that option for Class 1 certs even for the XMPP ICA
>>> because of security problems with wildcard certs. Part of the reasoning
>>> behind pulling the plug on the XMPP ICA and redirecting admins to
>>> startssl.com was that we'd need to perform stronger verification and
>>> that infrastructure was already in place at startssl.com but not at
>>> xmpp.net.
>> This feels like a bait and switch.
> It is a recognition of the changed security landscape on the net. There
> are significant security issues related to wildcard certificates. Would
> you like me to find some URLs about those security issues?

I'm aware of the issues with wildcard certificates.  I cringed the first 
time the XMPP standards foundation offered it as the only practical 
solution for virtual domain hosting.  I was, and still am, uncomfortable 
obtaining a wildcard certificate for an organization as large as ours. 
I took solace in the fact that the XMPP ICA certificate authority was 
obscure and the certificates were supposed to be used only for XMPP. 
Now that that has changed, I feel that wildcard certificates are no 
longer a valid alternative for hosting providers that wish to avoid 
certificate warnings.


>> The only reason we bothered with the
>> wildcard certificate was because the XMPP ICA made it easy.
> IMHO they are still easy at startssl.com, but they are not free because
> they are issued only to Class 2 users. As I understand things, it is not
> free to become a Class 2 user because identity verification is necessary
> and there is more work involved in that (the price is something like $50
> for two years IIRC). But I do not speak for StartSSL so feel free to
> contact them directly about their policies and pricing. We (the XSF) had
> a good relationship with them while we offered xmpp.net but there is no
> official relationship any longer.
>> Now, we're tempted to just install our certificate which matches the
>> server name, and create documentation telling users how to bypass the
>> certificate mismatch warnings.  Since Google Apps suffers from the same
>> certificate mismatch problem, the reality is that XMPP clients are
>> having to create workflows to make it easy for users to bypass the
>> errors.  We might as well stick with this clusterf*ck until xmpp-dna or
>> xmpp-delegate is implemented.
> Yes you can go down that route, sure. Let us know how it goes. :)
> Personally I think that provides a poor user experience and I would
> avoid it for $25 a year.
>>>> Is there a free option for XMPP certificates?
>>> There is: startssl.com (Class 1).
>> The wildcard certificates are not free, and the verification
>> requirements are going to painful for an organization our size.
> See above.
>>>> If we have to pay, is GoDaddy an option? (they appear to be cheap and
>>>> less crappy than StartSSL)
>>> Feel free to try out GoDaddy and report back. They are not free as far
>>> as I know. I do not have experience with their certs, only their domain
>>> registration services.
>> hmm... a $200 experiment
> I suppose you could investigate CAcert if $25 a year is too much to pay
> over at startssl.com.
> Peter

   Jesse Thompson
   Division of Information Technology, University of Wisconsin-Madison
   Email/IM: jesse.thompson at doit.wisc.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3317 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100222/29cde052/attachment.bin>

More information about the Operators mailing list