[Operators] Fwd: [jdev] TLS Everywhere

Jonas Wielicki xmpp-operators at sotecware.net
Tue Oct 29 18:17:56 UTC 2013


Will there be a reminder for the action days? Because I don't trust
myself to keep an electronic reminder actually functional until Jan 4th
(yeah I know). I'm only operating a small service though (<20 users), so
if I'm the only one with that problem, just don't mind.

Hm, actually I only wanted to ask for the reminder, but now I see more
questions arising, so I'll just continue.

In fact, most of my s2s is already TLS (although I don't require it).
The only exceptions are google+talk and (weirdly) ddg.im (duckduckgo).
I've already raised that issue to their attention[1], no fix yet, as far
as I know.

I already have DNSSEC deployed, so I think the only pending move is
implementing DANE from my side. Then waiting for prosody et al. to gain
DANE-ability. I “only” have a CACert certificate though, but for moral
reasons I decline to move to StartSSL or others. Does CACert qualify for
the “well-known and widely-deployed” CAs? (And shouldn't that rather be:
“well-trusted and widely-deployed”?)

There is cipher suites with forward secrecy. For me on Fedora, this
means diffie-hellman, as elliptic curves are still problematic[2] (and
I'm not yet sure whether they're to trust, but I guess, noone is). I
wonder whether this is considered okay?

For c2s I do require encryption already.

Are there any requirements for signing, like, minimal user count,
influence on development of XMPPish software or whatsoever? And by
“requirements” I mean, does it make sense to officially sign if you are,
like, a 20 user hobby server operator? ;)

regards,
Jonas

ps.: Thanks for making XMPP happen

   [1]:
https://duck.co/topic/xmpp-server-to-server-connection-with-ddg-gg-is-unencrypted
   [2]: https://bugzilla.redhat.com/show_bug.cgi?id=319901#c121


More information about the Operators mailing list