[Operators] Post-google TLS on s2s connections

Peter Saint-Andre stpeter at stpeter.im
Thu May 23 15:29:44 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/23/13 9:06 AM, Jonas Wielicki wrote:
> Hi all,
> 
> It's been discussend and I'm keen to find out about authenticated
> and encrypted s2s.
> 
> So I wonder what, if any, the current “standards” or suggestions on
> this one are. I'm a fan of CACert, and I'd like to stick for that.
> How's the reputation of CACert in the XMPP community?

I was somewhat involved with CACert early on. At the time I set up the
XMPP Intermediate CA, I looked seriously at both CACert and StartCom.
CACert was a mess back then, standard security / CA policies were not
followed, etc. Since then, other folks have worked to clean it up, but
I have not had time to keep track of their progress. CACert is still
not in the most common certificate bundles (Mozilla, etc.), and I know
the CACert folks are working to achieve that status but have not yet
done so.

So basically I am more comfortable with StartCom (now StartSSL), but I
like the CACert model quite a bit and I'd be happy to find evidence
that they're doing things the right way now.

> I believe I read somewhere that hardly anyone really does
> validation of the s2s-TLS-connection if one is used at all?

Correct, in large measure because Google Talk didn't validate. Now we
have the opportunity to change that.

> To boil it down: What would I need as a server operator to have
> the optimal setup for s2s TLS?
> 
> If there are no standards yet here (although I guess there are
> some, based on the behaviour of current implementations), I think
> we shall discuss this, with the major blocker “Google Federation”
> out of the way.

Use server software that correctly validates certificates and will do
force-TLS. At least that's a good place to start.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRnjXoAAoJEOoGpJErxa2pJAQP/iWmXN6ddZGoWe6zPVfhYEfz
RDKs4npuqX/YGZVzzghHNc2B0nMD2hDi86PFWpv2FUP/WW4cfR4xarkSGbtl2ddK
HNVAQBw5OLy+iCIeMI2ZnBnNUyUYeo5+MwBA6jO66EuANV36LiXtZFHFMzsS8/s+
kg3Q1qnIOuYakA1EIbdrwslcURvk69d8T0oaDUfISiCnsspx/C3punuUiO6XbXQ1
m3fixhzEYetcamWwAkTl4u+SbTKS25lkYXNPjryf8w1q+bhPipkChjTPMnV3TVfP
x9ECHmXjSevoTWdweBT5d1ZPxRKyHP3dudaO5t+6yzCKGMKlF4HZTBqjsCpdGTnF
17FP5zHWepmDFOxH0K7CO3SjICC3oir8o8+MCtmGZ4m/uY3RCgpBiVFNieuhQohP
p2wWwUdNqc1mXmsSVC011Rhjuhhpgiv3vNQvWyFjzWvPsG0CU8+kbLuP1V/0KSHX
yFavJJP7t4luJebCRiRqlaQWxtvFMg3tGJMrjppzWTvQnv5L6kxoizJV8aKy58TE
Hx840bbTfKq71RDPD6DeWBBo8m1Mq/fdbj2j6InPMycuQ6SKRygpy0twZ/5MVru8
g0S1iK53iSiUwUyo+Uv0ehBkgn8koG5UzhF5CyFa/mp8Z30E40/5eV99xlM/ZpPN
RFKTJ6hA1qNP5wvI202K
=Oq7U
-----END PGP SIGNATURE-----


More information about the Operators mailing list