[Operators] XMPP and TLS

Jonas Wielicki xmpp-operators at sotecware.net
Mon May 19 09:08:13 UTC 2014


On 19.05.2014 10:59, David Banes wrote:
> 
> On 19 May 2014, at 09:55, Kevin Smith <kevin at kismith.co.uk> wrote:
> 
>> On Mon, May 19, 2014 at 9:35 AM, Andreas Tauscher <ta at geuka.net> wrote:
>>> As I read this if I have a domain foo.bar an the SRV record points to
>>> im.example.com c2s and s2s has to verify the certificate against foo.bar
>>> instead im.example.com.
>>
>> Right. You have (broadly) two possible cases:
>>
>> 1) You trust that DNS/IP layers can't be tampered with. In this case
>> there's no need for verification of the certificates, as you're
>> confident you're connecting to the right host.
>>
>> 2) You don't trust the DNS/IP layers, in which case you don't trust
>> that just because DNS tells you to connect to im.example.com instead
>> of foo.bar it's right, and need to verify that the machine you connect
>> to is authorised to act as foo.bar.
>>
>> /K
> 
> 
> I'm being really lazy here because I'm time poor, but do we have anything like SPF in the XMPP specs? SPF allows DNS TEXT records to describe allowable senders of email. For example a hosting company would put their own host(s) as TXT records into a customer DNS.  Maybe it would help the above use case.
> 
> http://en.wikipedia.org/wiki/Sender_Policy_Framework

Let aside the fact that SPF is broken in many ways, it is also based on
DNS and has the same problems.

You can put many domains in one certificate by adding many
SubjectAltName attributes, if your certificate provider supports this.
This saves some of the effort.

regards,
Jonas

> 
> David.
> 
> 



More information about the Operators mailing list