[Security] S2S Leap of faith w/ SASL EXTERNAL

Stephen Paul Weber singpolyma at singpolyma.net
Fri Nov 19 09:28:38 CST 2010


On Fri, Nov 19, 2010 at 10:25, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> On 11/19/10 8:22 AM, Stephen Paul Weber wrote:
>> On Wed, Nov 17, 2010 at 19:51, Kim Alvefur <zash at zash.se> wrote:
>>> Imagine a server with a self signed certificate.
>>
>> Why is a production server using a self-signed certificate?  StartSSL
>> will give personal sites and some others a cert for free.  Others can
>> either get one pretty cheap, or we could convince the XMPP community
>> to support CACert.
>
> Given that I used to run the XMPP CA, I heartily agree that it's easy
> enough for people to obtain certificates.
>
> Either the admins are too lazy to do so or, in the case of large hosting
> services, there are operational difficulties.

So, I'll grant ops difficulties for SSL, which is why we have this
problem in the HTTP community.  XMPP supports TLS, though, and IIRC
SRV support allows using different ports, so none of the "must have
IP" problems are present.

I actually don't use self-signed even for my HTTP, because it's safer
(IMHO) to trust CACert on all my computers rather than a self-signed
cert.  This also means that when the cert changes I don't have to
re-say-yes everywhere.

-- 
Stephen Paul Weber, @singpolyma
Please see <http://singpolyma.net> for how I prefer to be contacted.
This message was sent from the GMail webmail interface. It's probably
not signed.  This is a problem.


More information about the Security mailing list