[Operators] Fwd: [jdev] TLS Everywhere
Jonas Wielicki
xmpp-operators at sotecware.net
Tue Oct 29 18:17:56 UTC 2013
Will there be a reminder for the action days? Because I don't trust
myself to keep an electronic reminder actually functional until Jan 4th
(yeah I know). I'm only operating a small service though (<20 users), so
if I'm the only one with that problem, just don't mind.
Hm, actually I only wanted to ask for the reminder, but now I see more
questions arising, so I'll just continue.
In fact, most of my s2s is already TLS (although I don't require it).
The only exceptions are google+talk and (weirdly) ddg.im (duckduckgo).
I've already raised that issue to their attention[1], no fix yet, as far
as I know.
I already have DNSSEC deployed, so I think the only pending move is
implementing DANE from my side. Then waiting for prosody et al. to gain
DANE-ability. I “only” have a CACert certificate though, but for moral
reasons I decline to move to StartSSL or others. Does CACert qualify for
the “well-known and widely-deployed” CAs? (And shouldn't that rather be:
“well-trusted and widely-deployed”?)
There is cipher suites with forward secrecy. For me on Fedora, this
means diffie-hellman, as elliptic curves are still problematic[2] (and
I'm not yet sure whether they're to trust, but I guess, noone is). I
wonder whether this is considered okay?
For c2s I do require encryption already.
Are there any requirements for signing, like, minimal user count,
influence on development of XMPPish software or whatsoever? And by
“requirements” I mean, does it make sense to officially sign if you are,
like, a 20 user hobby server operator? ;)
regards,
Jonas
ps.: Thanks for making XMPP happen
[1]:
https://duck.co/topic/xmpp-server-to-server-connection-with-ddg-gg-is-unencrypted
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=319901#c121
More information about the Operators
mailing list