[Operators] XMPP and TLS
Philipp Hancke
fippo at goodadvice.pages.de
Mon May 19 08:57:12 UTC 2014
Am 19.05.2014 10:35, schrieb Andreas Tauscher:
> Hello!
>
> Maybe somebody can enlighten me.
>
> RFC 3920 says in section 5.1.8:
3920 is obsolete. Refer to 6120 and 6125.
[---- SNIP ----]
> As I read this if I have a domain foo.bar an the SRV record points to
> im.example.com c2s and s2s has to verify the certificate against foo.bar
> instead im.example.com.
Correct.
> I can't find out why XMPP should not handle it like SMTP. In case of s2s
> the certificate is verified against the canonical name in the MX record
> (for XMPP the _xmpp-server._tcp record is like the MX record for SMTP)
> and the XMPP _xmpp-client._tcp record I see like autoconfig/autodiscover
> for mail.
Because that delegation is not secure (unless dnssec is used).
> XMPP I have to create and install a certificate for every domain.
Yes. Well, not to get encryption. Only to get authenticated encryption.
> Making it IMHO only complicated and contra productive for enforcing a
> full encrypted XMPP network.
No. It makes it complicated to enforce authenticated encryption on the
network. However, we're currently talking about unauthenticated
(opportunistic) encryption which doesn't require certificate checking.
> On a mail server I can host thousands of domains with one certificate.
mail servers rarely care about the certificate.
> Why do I have to deal in XMPP in this case with thousands of certificates?
This is a known problem.
http://tools.ietf.org/html/draft-ietf-xmpp-dna-05#section-8 explains
that in more detail.
The currently proposed solutions for this are to either use DANE or POSH.
More information about the Operators
mailing list