[Operators] SSL certificates / private CAs / CACert issue
fippo at goodadvice.pages.de
Mon Dec 17 06:50:24 UTC 2012
> We already had some 'excessive' discussion about it with Peter
> Saint-Andre this year and didn't 'solve' it. The only outcome of it was
> that the Jabber.sk service is still not listed in the list of public
> services and the only reason is that it's using certificate signed by
> our internal CA. I did accept that and gave Peter more time to think
> about it as it doesn't harm our service at all.
Peter doesn't have a moral high ground on that topic given that xmpp.org
(and muc.xmpp.org, hello council :-)) is running with a self-signed
a) doesn't contain xmpp.org or muc.xmpp.org (see RFC 6125)
b) has expired in October 2010
Maybe public shaming helps :-p
> Now let me fall into the situation with SSL certificates in the XMPP
> world in more details.
> Just some months before (and it looks like that also these times) the
> CACert wasn't recognised as an publicly trusted CA by Mozilla foundation
>  (Opera and many more too) because they didn't pass their auditing.
> But at those times almost all of the jabber servers and clients already
> accepted certificates signed by them as 'secure'. Looks like that XMPP
XMPP servers tend to accept anything as "usable" for doing TLS
encryption. Back in 2007 I had no problems using a revoked certificate
(for authentication) either.
I recall repeating this this year with similar results.
> I would like to give a chance to run any XMPP server with
> certificates signed by their private CA without any message rejection.
DANE and POSH might help.
More information about the Operators