[Operators] XMPP and TLS
Kim Alvefur
zash at zash.se
Mon May 19 09:08:54 UTC 2014
Hi!
On 2014-05-19T10:35:39 CEST, Andreas Tauscher wrote:
> As I read this if I have a domain foo.bar an the SRV record points to
> im.example.com c2s and s2s has to verify the certificate against
> foo.bar instead im.example.com.
If the name you are claiming is 'foo.bar', why would I check that you
present a certificate with a completely different name? Unless you have
DNSSEC, someone could inject a fake SRV (or MX in case of SMTP) record
pointing to a domain they own and that they can present a valid
certificate for. What then?
If you do have DNSSEC, then it's fine to check the certificate against
the delegated name, deployed support for that is probably fairly small.
> I can't find out why XMPP should not handle it like SMTP.
Because it's not handled in SMTP.
> Why do I have to deal in XMPP in this case with thousands of
> certificates?
Like others said, known issue that is being worked on. For now, very
few actually enforce valid certificates and instead falls back to
dialback for verification.
--
Kim "Zash" Alvefur
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140519/fb02b713/attachment.sig>
More information about the Operators
mailing list