[Operators] IM Observatory: Not recognising DigiCert root certificate

Peter Saint-Andre stpeter at stpeter.im
Fri Nov 1 03:06:30 UTC 2013

Hash: SHA1

On 10/31/2013 05:15 PM, Robert Norris wrote:
> [potentially taking us off-topic for this list, let me know]

Not off-topic at all.

> On Fri, Nov 1, 2013, at 02:32 AM, Peter Saint-Andre wrote:
>> If I understand your scenario correctly, I think this is where
>> POSH would help:
> Interesting, I'd not heard of POSH before. If I'm understanding
> this correctly (from a _very_ quick skim through the spec), its
> rather like DANE except using HTTPS instead of DNSSEC for
> distribution of certificate material, right?

In essence, yes.

> In any case it doesn't look particularly useful for us, because for
> most of our domains we actually do basic web hosting as well (we're
> mostly a consumer-grade service) and we don't have valid
> certificates for those either (the cost of certs and IP addresses
> would be prohibitive). Neither do we have the demand. DANE is
> better for us because we usually host the DNS. Even the 30+ domains
> we own ourselves don't get their own certs (eg
> https://fastmail.co.uk/).

I'll send in the protocol police for violations of RFC 6125. ;-)

> We're likely to do something with DANE next year for email, and
> I'll take a proper look at what's happening with XMPP then (a quick
> search looks like there's been a fair bit of movement in this area
> in the last couple of years, so I've got a lot to catch up on,
> which I don't have time for right now).

https://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/ is also
relevant. The DANE approach is fairly straightforward at the XMPP
layer, but it has a *lot* of dependencies lower in the stack.

> Client support is likely to be the killer.

And registrars and resolvers and so on. Unfortunately it will take
quite a while for DNSSEC to be widely deployed.

> Our Jabber service is very much a niche service, not heavily used.
Maybe you could run a darkmail service eventually...


> Its already hard to justify the time to work on it. If I can't do
> something that's going to benefit everyone using it then its
> probably not going to happen.
> If someone wants to give me a quick rundown on the state the
> various specs for XMPP virtual hosting support I'd really
> appreciate it (maybe off-list). I haven't paid much attention to
> XMPP since about 2006, and I'd like to get roughly up to speed if
> I'm going to seriously support our server (which it appears I might
> be, hah).

As to virtual hosting, the challenge is certificate checking. The DNA
and POSH documents give a fairly thorough overview of the problem.


Version: GnuPG v1.4.12 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Operators mailing list