[Operators] SSL certificates / private CAs / CACert issue

Phil Pennock xmpp-operators+phil at spodhuis.org
Thu Mar 21 21:28:41 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 2013-03-21 at 07:45 -0700, Peter Saint-Andre wrote:
> That's why Matt Miller and I have been working on a suite of specs
> about "domain name associations"...
> 
> https://datatracker.ietf.org/doc/draft-saintandre-xmpp-dna/
> 
> https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/ -
> likely will be merged with
> https://datatracker.ietf.org/doc/draft-ietf-dane-srv/
> 
> https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/
> 
> Jesse (and other operators), your feedback on those specs would be
> *very* much appreciated.

Unsurprisingly, I'm in favour of draft-ietf-dane-srv.  :)

This just nudged me to publish TLSA records which I believe should be
relevant for my server.  They're usage=2 TLSA records, which means that
the CA certificate is in DNS and the PKIX is not to be used.

I can be reached via XMPP as phil.pennock at spodhuis.org and if there are
operators wanting to test interop for DANE stuff, then as long as you
have IPv6 connectivity, contact me off-list to request an account
(definitely no IBR!).

Note that while dnssec-tools has some helpful bits in it, dt-danechk
assumes that it's speaking to a TLS-on-connect port, such as HTTPS,
rather than a STARTTLS-protocol service.  One more reason to have 5223
listening, to ease debugging ...

- -Phil
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAlFLe4EACgkQQDBDFTkDY38ifwCfR3xmJs4eAi0/R8iHptXGy2gs
0msAnjXiIXMUHCz+RQH47fhQTMhlHWgE
=bKsO
-----END PGP SIGNATURE-----


More information about the Operators mailing list