[Operators] Fwd: [jdev] TLS Everywhere

Jonas Wielicki xmpp-operators at sotecware.net
Tue Oct 29 18:40:14 UTC 2013

On 29.10.2013 19:25, Dave Cridland wrote:
>> In fact, most of my s2s is already TLS (although I don't require it).
>> The only exceptions are google+talk and (weirdly) ddg.im (duckduckgo).
>> I've already raised that issue to their attention[1], no fix yet, as far
>> as I know.
> By TLS, is that including proper authentication?
I'd have to check that and I'd assume it's not.

>> I already have DNSSEC deployed, so I think the only pending move is
>> implementing DANE from my side. Then waiting for prosody et al. to gain
>> DANE-ability. I “only” have a CACert certificate though, but for moral
>> reasons I decline to move to StartSSL or others. Does CACert qualify for
>> the “well-known and widely-deployed” CAs? (And shouldn't that rather be:
>> “well-trusted and widely-deployed”?)
> Ugh.
> The problem here is that we want turn-key security as much as possible. So
> we want the certificates to be deployed by the operating systems et al,
> it's not a list that we can provide. (If we did, we'd be the moral
> equivalent of a CA anyway).
In fact, one can find a lot of conspiracy on that topic on the right
lists, this one might not be the right place for these discussions. Even
if CACert is not fine, there's still opportunistic encryption and more
importantly DANE, so I'm okay with that.

>> There is cipher suites with forward secrecy. For me on Fedora, this
>> means diffie-hellman, as elliptic curves are still problematic[2] (and
>> I'm not yet sure whether they're to trust, but I guess, noone is). I
>> wonder whether this is considered okay?
> I thought (possibly wrongly) that all PFS suites were based around a DH
> exchange, whether EC or not.
Right, I meant classical DH. Sorry for the incorrectness, I'm no
cryptographer :). In fact, I hope that this choice is in the future made
by the server software vendors, so that they offer a reasonable list of
suites by default. However, prosody is not in the best light here, due
to luasec issues. I have no idea how the situation looks for other
servers though.


More information about the Operators mailing list