[Operators] Post-google TLS on s2s connections
stpeter at stpeter.im
Thu May 23 15:29:44 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 5/23/13 9:06 AM, Jonas Wielicki wrote:
> Hi all,
> It's been discussend and I'm keen to find out about authenticated
> and encrypted s2s.
> So I wonder what, if any, the current “standards” or suggestions on
> this one are. I'm a fan of CACert, and I'd like to stick for that.
> How's the reputation of CACert in the XMPP community?
I was somewhat involved with CACert early on. At the time I set up the
XMPP Intermediate CA, I looked seriously at both CACert and StartCom.
CACert was a mess back then, standard security / CA policies were not
followed, etc. Since then, other folks have worked to clean it up, but
I have not had time to keep track of their progress. CACert is still
not in the most common certificate bundles (Mozilla, etc.), and I know
the CACert folks are working to achieve that status but have not yet
So basically I am more comfortable with StartCom (now StartSSL), but I
like the CACert model quite a bit and I'd be happy to find evidence
that they're doing things the right way now.
> I believe I read somewhere that hardly anyone really does
> validation of the s2s-TLS-connection if one is used at all?
Correct, in large measure because Google Talk didn't validate. Now we
have the opportunity to change that.
> To boil it down: What would I need as a server operator to have
> the optimal setup for s2s TLS?
> If there are no standards yet here (although I guess there are
> some, based on the behaviour of current implementations), I think
> we shall discuss this, with the major blocker “Google Federation”
> out of the way.
Use server software that correctly validates certificates and will do
force-TLS. At least that's a good place to start.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Operators