[Operators] wildcard cert

Jesse Thompson jesse.thompson at doit.wisc.edu
Tue Feb 23 09:38:36 CST 2010

On 2/23/2010 3:28 AM, viq wrote:
> On Mon, Feb 22, 2010 at 9:26 PM, Jesse Thompson
> <jesse.thompson at doit.wisc.edu>  wrote:
>> On 2/22/2010 12:43 PM, Peter Saint-Andre wrote:
>>> On 2/22/10 11:27 AM, Jesse Thompson wrote:
>>>> We might as well stick with this clusterf*ck until xmpp-dna or
>>>> xmpp-delegate is implemented.
>>> Oh, and even then you're going to require a certificate, no? The point
>>> of DNA or _xmpp-delegate or whatever solution the XMPP WG comes up with
>>> is to handle the case of delegation (e.g., Google Apps is hosting my
>>> domains) or the case of adding multiple domains to an existing
>>> connection via attribute certificates. And the attribute cert stuff is
>>> going to require a lot of man hours -- new features in OpenSSL or the
>>> like, an admin-friendly and open-source tool to generate attribute certs
>>> because otherwise it will be really hard, best practice docs, READMEs,
>>> etc. Who is going to do all that work? TANSTAAFL, folks.
>> Yes, we're stuck with a bunch of crappy alternatives:
>> 1. wildcard certificates won't match all virtual domains and also don't
>> match the vcards/conference components within subdomains, introduce security
>> risks if the private keys are exposed, and can be difficult to obtain for
>> many organizations
> Don't at least ejabberd and prosody have support for per-domain certs?
> That sounds like what you're looking for.

The problem is that it doesn't scale well for XMPP hosting providers. 
We host 250 domains.  We haven't enabled them all for XMPP because of 
these types of issues.

If XMPP requires matching certificates for every domain (and every 
component of each domain) it puts the individual XMPP hosting providers 
in the position of doing the function of a certificate authority in 
order to keep customer certificates up to date.  They have to provide 
forms (with secure authentication) for allowing customers to 
upload/update certificates and keys.  They have to build processes to 
automatically install certificates and keys into the XMPP server 
configuration.  They have to send out reminder notices of certificates 
that are about to expire.  Basically, they have to do everything that a 
CA is responsible for, minus the key generation part.

I'm not interested in running a [mutated] certificate authority.


   Jesse Thompson
   Division of Information Technology, University of Wisconsin-Madison
   Email/IM: jesse.thompson at doit.wisc.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3317 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100223/28c43a79/attachment.bin>

More information about the Operators mailing list