[Operators] IM Observatory: Not recognising DigiCert root certificate

Peter Saint-Andre stpeter at stpeter.im
Fri Nov 1 03:06:30 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/31/2013 05:15 PM, Robert Norris wrote:
> [potentially taking us off-topic for this list, let me know]

Not off-topic at all.

> On Fri, Nov 1, 2013, at 02:32 AM, Peter Saint-Andre wrote:
>> If I understand your scenario correctly, I think this is where
>> POSH would help:
> 
> Interesting, I'd not heard of POSH before. If I'm understanding
> this correctly (from a _very_ quick skim through the spec), its
> rather like DANE except using HTTPS instead of DNSSEC for
> distribution of certificate material, right?

In essence, yes.

> In any case it doesn't look particularly useful for us, because for
> most of our domains we actually do basic web hosting as well (we're
> mostly a consumer-grade service) and we don't have valid
> certificates for those either (the cost of certs and IP addresses
> would be prohibitive). Neither do we have the demand. DANE is
> better for us because we usually host the DNS. Even the 30+ domains
> we own ourselves don't get their own certs (eg
> https://fastmail.co.uk/).

I'll send in the protocol police for violations of RFC 6125. ;-)

> We're likely to do something with DANE next year for email, and
> I'll take a proper look at what's happening with XMPP then (a quick
> search looks like there's been a fair bit of movement in this area
> in the last couple of years, so I've got a lot to catch up on,
> which I don't have time for right now).

https://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/ is also
relevant. The DANE approach is fairly straightforward at the XMPP
layer, but it has a *lot* of dependencies lower in the stack.

> Client support is likely to be the killer.

And registrars and resolvers and so on. Unfortunately it will take
quite a while for DNSSEC to be widely deployed.

> Our Jabber service is very much a niche service, not heavily used.
> 
Maybe you could run a darkmail service eventually...

https://www.computerworld.com.au/article/530582/silent_circle_lavabit_unite_dark_mail_encrypted_email_project/

> Its already hard to justify the time to work on it. If I can't do
> something that's going to benefit everyone using it then its
> probably not going to happen.
> 
> If someone wants to give me a quick rundown on the state the
> various specs for XMPP virtual hosting support I'd really
> appreciate it (maybe off-list). I haven't paid much attention to
> XMPP since about 2006, and I'd like to get roughly up to speed if
> I'm going to seriously support our server (which it appears I might
> be, hah).

As to virtual hosting, the challenge is certificate checking. The DNA
and POSH documents give a fairly thorough overview of the problem.

Peter


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBAgAGBQJScxq2AAoJEOoGpJErxa2pQBMP+JZ6T4tK8rmj5Zi7rdFTjDrZ
WICjTpzmrd9DEqquOgLKeQevTMqIMFCD3wZLo7OtO8F+O6vILi0xysySkz78KQAN
OhvgSK4b9PjExWTnKtZ9CFJVz+pGYwXn22ptlVEvrOTBAilq2xsCsuRX/UKhxfSQ
mA/e2JTnQv/r03Bkt++BkSzgQ/6BAjgfL5DWZWeGoDgU4g3gf13PI+5qnwX0tErE
JsCsb2IGaKH5Y5zu+5OgSf6mNEQVByucWH1FikYrVFV6SY5AeOaVVbIFV+sFi9gx
s3/YCyRw6uyOVZtAsnh1WEJHPRGz+4xvL3TRmQ5mJ7apP5gRcWMbt8izqZmqOSJ6
HQhmAFWkwmd1aqKEsjJt5iIrycrojxjXN/ukP9OQ8dl5aUvqDdOhQIk6DSKcFjXx
ZDW+8RIbuugpApz/+kAGHQlX0mpcdgRSGybc+3kcp9E3MKvS1G15V2LKukN/kNy8
BWbFQyKjLe+65tYk8dzWOMf4WBub2Xs74h2LfhA24/PjaYWNKlvuEF/2tDTk9sSI
MOUHk9S+SAFT24dVHNF9n+JKM+BcgQ8rmNCF/guOj6YHokPYNBA1RtepahgNi86r
DN5wjpaqAIgrZzLeW3hu+y1RX8hj6MoOmZ1R/Spd+UEnGyhMgRe8lBKLV6ObY3Cu
dB3SZeUEGk9EW5oeSLk=
=Oo+L
-----END PGP SIGNATURE-----


More information about the Operators mailing list