[Operators] Obtaining XMPP-enabled certificate for server

Florian Schmaus flo at geekplace.eu
Tue Jul 19 14:15:40 UTC 2016


On 19.07.2016 16:06, Sam Whited wrote:
> On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson <simon at josefsson.org> wrote:
>> I wonder if people really care about this usage any more -- it does not
>> scale well (all domains have to be encoded in the same cert => big
>> certs) and introduces an indirection which often leaves room for
>> attackers
> 
> I don't understand what problem you're solving by doing this.

Isn't one problem that a cert with CN "example.org" will be valid for
all services found on example.org (simply speaking), whereas when using
SRV-ID restricts the cert to a particular service?

Of course, everything will become better once DANE is in wide use. :)

- Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160719/825193fd/attachment.sig>


More information about the Operators mailing list