[Operators] SSL certificates / private CAs / CACert issue

Matt Miller linuxwolf at outer-planes.net
Thu Mar 21 22:29:23 UTC 2013


On Mar 21, 2013, at 3:47 PM, Jesse Thompson <jesse.thompson at doit.wisc.edu> wrote:

> On 3/21/2013 9:45 AM, Peter Saint-Andre wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 3/21/13 6:59 AM, Jesse Thompson wrote:
>>> On 3/21/2013 1:44 AM, Philipp Hancke wrote:
>>>> Well, TLS usage is a mess. Welcome to nobody cares.
>>> 
>>> It's not [only] that they don't care.  It's just plain impractical,
>>> to the point of infeasibility, for an XMPP operator to maintain
>>> valid matching certificates for many hosted domains.
>> 
>> Yes yes yes!
>> 
>> That's why Matt Miller and I have been working on a suite of specs
>> about "domain name associations"...
>> 
>> https://datatracker.ietf.org/doc/draft-saintandre-xmpp-dna/
>> 
>> https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/ -
>> likely will be merged with
>> https://datatracker.ietf.org/doc/draft-ietf-dane-srv/
>> 
>> https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/
>> 
>> Jesse (and other operators), your feedback on those specs would be
>> *very* much appreciated.
> 
> At a glance, I think that you're definitely on the right track.  Sole reliance on DNSSEC should be avoided.  I like the POSH technique; it looks like you've got the security issue addressed (as compared to things like the Thunderbird autoconfiguration protocol), and you've got redirection covered too.
> 
> I'll try to think about issues that might conceptually crop up in a practical deployment.  Is there something specific (as a service operator) you want me to look at?
> 

I'm definitely curious about the feasibility for operators (or the delegators to operators) to deploy any or all of the methods.  This would include getting the right files in the right places.  But really, any and all feedback is most appreciated.


Thanks!

- m&m

Matthew A. Miller
< http://goo.gl/LK55L >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2305 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20130321/22719693/attachment.bin>


More information about the Operators mailing list