[Operators] SSL certificates / private CAs / CACert issue

Peter Viskup skupko.sk at gmail.com
Sun Dec 16 22:10:52 UTC 2012

On 12/16/2012 10:55 PM, Claudiu Curcă wrote:
> From: operators-bounces at xmpp.org [mailto:operators-bounces at xmpp.org] On Behalf Of Jonas Wielicki
> Sent: duminică, 16 decembrie 2012 22:47
> To: operators at xmpp.org
> Subject: Re: [Operators] SSL certificates / private CAs / CACert issue
>> Hi Claudiu,
>>> Fair point, although I find it very hard to believe that anyone nowadays  still runs an email server or Jabber server and hasn't completely turned off plaintext comms. Using plaintext comms for such communication is wrong on so many levels that I don't even want to get into such a discussion.
>> Agreed on the moral point. However, I'd like to see stats on how many public services allow plaintext comm and which ratio of those even accepts plaintext auth over the unencrypted channel.
>> I, for myself, have enabled unencrypted communications on my XMPP service, even for s2s. Why? Because the documentation of the server software I use recommends it to increase interoperability. Because other servers might reject my fine CACert certifiacte (although I'll look into StartSSL).
>> regards,
>> Jonas W.
> Unfortunately, what you say is true and no one can say otherwise. However, the truth of the matter is that this situation should be improved (mainly by convincing the Ops to use proper certificates and discourage the use of unsecured connection and CAs doing a better job of ending up in Trust Store lists), not the other way around. If everyone started putting security ahead of comfort, this situation would not be as it is.
> Alas, this is just wishful thinking...
> Claudiu
Hi all,
can anyone tell me what is the difference between the certs the CACert 
and our 'private' CA are issuing?
I do see only one - CACert is for some unknown reason accepted by most 
of the XMPP software. Once you would like to push such restrictive SSL 
rules you should start with rejecting the CACert certificates and inform 
all XMPP software developers that they should remove their root certs 
from the list of trusted CAs. In other case I do not see the reason why 
some XMPP servers should reject any other CAs in the world.
I do appreciate work of all people in the CACert and like them, but I 
see this as an grey area on this front in XMPP world. And nobody wants 
to touch it because it smells.


More information about the Operators mailing list