[Operators] SSL certificates / private CAs / CACert issue

Peter Saint-Andre stpeter at stpeter.im
Thu Mar 21 14:45:40 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/21/13 6:59 AM, Jesse Thompson wrote:
> On 3/21/2013 1:44 AM, Philipp Hancke wrote:
>> Well, TLS usage is a mess. Welcome to nobody cares.
> 
> It's not [only] that they don't care.  It's just plain impractical,
> to the point of infeasibility, for an XMPP operator to maintain
> valid matching certificates for many hosted domains.

Yes yes yes!

That's why Matt Miller and I have been working on a suite of specs
about "domain name associations"...

https://datatracker.ietf.org/doc/draft-saintandre-xmpp-dna/

https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/ -
likely will be merged with
https://datatracker.ietf.org/doc/draft-ietf-dane-srv/

https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/

Jesse (and other operators), your feedback on those specs would be
*very* much appreciated.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRSx0UAAoJEOoGpJErxa2pTAsP/immIU7vFMW+wTKqInje6hWp
zauCewAPIyB+DAR8ta080RX7+vBQfYYMpUQnsTojP1T7vvEMgcnAj3ija42D/1Sn
fEbpsLCj+xKt3SfJr2d1Ob9wwtlUuDYLW3cHbII55Ap79iXkg4agslM0PdiSkR0p
f4hepSgUCTlnKmq4Qk8GWIKfjBeNVCI0kwPC8FBFpe4grisk75eM8oj8f58xw/Q2
j5gVZZDi96GnGYyrDI3xJdUDoj5X6NxvV46Fa9Xm6VaJX6ZEMpcJy2phxrKU31rV
bWlYbD2/91OHfkIIjWi8IxKqB6utAHQ4bNZNEG4IqJWx+ToJZkAjP7v7FMT99Jqo
d3DTPixEYt23j2JQm7KhX868Pv/xt328t0yKAMtk3ANxokrJTy4wKmcnr8mnNVTw
RKeaTsqaTWrFmoqFPSbqJgmuLVORzwnQB464B4Jx5IsYTu6zFUbJnqQJe4G7qfla
lR8TsWZ3pF3583uv8Bb0Rv+CsM/xCTQkSkgvXpdEhyC1RbIOlltkCe1Wt9LZISi4
hzkp9MX6LyvQSAzqJM10VZk0VsMt9bKibDLuuTH+GanIrK1SOUpV0ELfMD2MQW/b
uoAVxfz3TWrCcDu+fXAbzMgDtFVyJN6VwKSKqYhDJPvJtC3MDbMgXfcPyzlcj2KO
S6RfcsTgc7+NcHgdmIeE
=rAcT
-----END PGP SIGNATURE-----


More information about the Operators mailing list