[Operators] Fwd: [jdev] TLS Everywhere
dave at cridland.net
Tue Oct 29 17:59:11 UTC 2013
On Tue, Oct 29, 2013 at 5:46 PM, Peter Saint-Andre <stpeter at stpeter.im>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 10/29/13 11:40 AM, Jesse Thompson wrote:
> > On 10/28/2013 2:52 PM, Peter Saint-Andre wrote:
> >> On 10/28/13 1:41 PM, Jesse Thompson wrote:
> >>> Are there more details? Specifically, does "hop-by-hop
> >>> encryption using SSL/TLS" require strong association between a
> >>> domain name and an XML stream as described in
> >>> draft-ietf-xmpp-dna-04?
> >> We, as a community, need to figure out what we can do.
> >> Realistically, I think we need to prefer authenticated encryption
> >> via PKI, POSH, or DNSSEC/DANE and fall back to opportunistic
> >> encryption via TLS + dialback.
> > So, the presumption is that servers which aren't capable of at
> > least TLS+dialback will be cut off?
> Now, this is a proposal, not an ultimatum. We, as a community, need to
> come to a decision about whether this is a reasonable course of
> action. However, I do think we owe it to the users of our services to
> provide a higher level of security.
Also, if phrased right, we could say that the Good Servers talk with each
other securely, but they may also have exceptions to deal with legacy
services which do not yet perform full security.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Operators