[Operators] IM Observatory: Not recognising DigiCert root certificate

Robert Norris robn at fastmail.fm
Thu Oct 31 23:15:59 UTC 2013

[potentially taking us off-topic for this list, let me know]

On Fri, Nov 1, 2013, at 02:32 AM, Peter Saint-Andre wrote:
> If I understand your scenario correctly, I think this is where POSH
> would help:

Interesting, I'd not heard of POSH before. If I'm understanding this
correctly (from a _very_ quick skim through the spec), its rather like
DANE except using HTTPS instead of DNSSEC for distribution of
certificate material, right?

In any case it doesn't look particularly useful for us, because for most
of our domains we actually do basic web hosting as well (we're mostly a
consumer-grade service) and we don't have valid certificates for those
either (the cost of certs and IP addresses would be prohibitive).
Neither do we have the demand. DANE is better for us because we usually
host the DNS. Even the 30+ domains we own ourselves don't get their own
certs (eg https://fastmail.co.uk/).

We're likely to do something with DANE next year for email, and I'll
take a proper look at what's happening with XMPP then (a quick search
looks like there's been a fair bit of movement in this area in the last
couple of years, so I've got a lot to catch up on, which I don't have
time for right now).

Client support is likely to be the killer. Our Jabber service is very
much a niche service, not heavily used. Its already hard to justify the
time to work on it. If I can't do something that's going to benefit
everyone using it then its probably not going to happen.

If someone wants to give me a quick rundown on the state the various
specs for XMPP virtual hosting support I'd really appreciate it (maybe
off-list). I haven't paid much attention to XMPP since about 2006, and
I'd like to get roughly up to speed if I'm going to seriously support
our server (which it appears I might be, hah).

Rob N.

More information about the Operators mailing list