[Security] S2S Leap of faith w/ SASL EXTERNAL

Peter Saint-Andre stpeter at stpeter.im
Wed Nov 17 20:54:49 CST 2010

On 11/17/10 7:48 PM, Jesus Cea wrote:
> On 18/11/10 02:52, Kim Alvefur wrote:
>> The thing I wanted to get at was to make it simpler for smaller
>> deployments, like some friends personal servers, to establish some
>> measurement of trust between themselves, without all the bureaucracy
>> that CA's brings.
> Too bad DNSSEC is being deployed almost as slowly as IPv6.

It's been going faster recently. The root is signed, as is org, with com
and net coming soon AFAIK. And there's now a handy Firefox plugin:


> I do care about MITM attacks. But when you don't have any other choice...
> I was thinking about DNSSEC and storing X.509 fingerprints in the DNS...
> That could destroy the need of a X.509 CA hierachy.
> You can actually do it now, with no DNSSEC, if you accept DNS is safe
> (current situation with dialbacks).
> Store the certificate fingerprint in a DNS record.

There's an effort starting up at the IETF to do just that. The working
group should be formed quite soon. Here's the proposed charter:


So progress is happening, but it's always slower than we'd like...


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/security/attachments/20101117/c147bf44/attachment-0001.bin>

More information about the Security mailing list