[Operators] XMPP and TLS

Kevin Smith kevin at kismith.co.uk
Mon May 19 08:55:31 UTC 2014


On Mon, May 19, 2014 at 9:35 AM, Andreas Tauscher <ta at geuka.net> wrote:
> As I read this if I have a domain foo.bar an the SRV record points to
> im.example.com c2s and s2s has to verify the certificate against foo.bar
> instead im.example.com.

Right. You have (broadly) two possible cases:

1) You trust that DNS/IP layers can't be tampered with. In this case
there's no need for verification of the certificates, as you're
confident you're connecting to the right host.

2) You don't trust the DNS/IP layers, in which case you don't trust
that just because DNS tells you to connect to im.example.com instead
of foo.bar it's right, and need to verify that the machine you connect
to is authorised to act as foo.bar.

/K


More information about the Operators mailing list