[Operators] SSL certificates / private CAs / CACert issue

Jesse Thompson jesse.thompson at doit.wisc.edu
Thu Mar 21 21:47:41 UTC 2013


On 3/21/2013 9:45 AM, Peter Saint-Andre wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 3/21/13 6:59 AM, Jesse Thompson wrote:
>> On 3/21/2013 1:44 AM, Philipp Hancke wrote:
>>> Well, TLS usage is a mess. Welcome to nobody cares.
>>
>> It's not [only] that they don't care.  It's just plain impractical,
>> to the point of infeasibility, for an XMPP operator to maintain
>> valid matching certificates for many hosted domains.
>
> Yes yes yes!
>
> That's why Matt Miller and I have been working on a suite of specs
> about "domain name associations"...
>
> https://datatracker.ietf.org/doc/draft-saintandre-xmpp-dna/
>
> https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/ -
> likely will be merged with
> https://datatracker.ietf.org/doc/draft-ietf-dane-srv/
>
> https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/
>
> Jesse (and other operators), your feedback on those specs would be
> *very* much appreciated.

At a glance, I think that you're definitely on the right track.  Sole 
reliance on DNSSEC should be avoided.  I like the POSH technique; it 
looks like you've got the security issue addressed (as compared to 
things like the Thunderbird autoconfiguration protocol), and you've got 
redirection covered too.

I'll try to think about issues that might conceptually crop up in a 
practical deployment.  Is there something specific (as a service 
operator) you want me to look at?

Thanks,
Jesse


More information about the Operators mailing list