[Operators] XMPP and TLS

David Banes david at banes.org
Mon May 19 08:59:17 UTC 2014


On 19 May 2014, at 09:55, Kevin Smith <kevin at kismith.co.uk> wrote:

> On Mon, May 19, 2014 at 9:35 AM, Andreas Tauscher <ta at geuka.net> wrote:
>> As I read this if I have a domain foo.bar an the SRV record points to
>> im.example.com c2s and s2s has to verify the certificate against foo.bar
>> instead im.example.com.
> 
> Right. You have (broadly) two possible cases:
> 
> 1) You trust that DNS/IP layers can't be tampered with. In this case
> there's no need for verification of the certificates, as you're
> confident you're connecting to the right host.
> 
> 2) You don't trust the DNS/IP layers, in which case you don't trust
> that just because DNS tells you to connect to im.example.com instead
> of foo.bar it's right, and need to verify that the machine you connect
> to is authorised to act as foo.bar.
> 
> /K


I'm being really lazy here because I'm time poor, but do we have anything like SPF in the XMPP specs? SPF allows DNS TEXT records to describe allowable senders of email. For example a hosting company would put their own host(s) as TXT records into a customer DNS.  Maybe it would help the above use case.

http://en.wikipedia.org/wiki/Sender_Policy_Framework

David.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140519/02e57f89/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140519/02e57f89/attachment-0001.sig>


More information about the Operators mailing list