[Security] S2S Leap of faith w/ SASL EXTERNAL

Peter Saint-Andre stpeter at stpeter.im
Fri Nov 19 09:36:47 CST 2010


On 11/19/10 8:28 AM, Stephen Paul Weber wrote:
> On Fri, Nov 19, 2010 at 10:25, Peter Saint-Andre <stpeter at stpeter.im> wrote:
>> On 11/19/10 8:22 AM, Stephen Paul Weber wrote:
>>> On Wed, Nov 17, 2010 at 19:51, Kim Alvefur <zash at zash.se> wrote:
>>>> Imagine a server with a self signed certificate.
>>>
>>> Why is a production server using a self-signed certificate?  StartSSL
>>> will give personal sites and some others a cert for free.  Others can
>>> either get one pretty cheap, or we could convince the XMPP community
>>> to support CACert.
>>
>> Given that I used to run the XMPP CA, I heartily agree that it's easy
>> enough for people to obtain certificates.
>>
>> Either the admins are too lazy to do so or, in the case of large hosting
>> services, there are operational difficulties.
> 
> So, I'll grant ops difficulties for SSL, which is why we have this
> problem in the HTTP community.  XMPP supports TLS, though, and IIRC
> SRV support allows using different ports, so none of the "must have
> IP" problems are present.

The issue is not multiple IP addresses, the issue is managing 10,000
certificates. Now, maybe that's not really so hard -- it would be good
to get some feedback from large operators about that (Google Apps, GMX,
DreamHost, etc.).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/security/attachments/20101119/8b1bd248/attachment.bin>


More information about the Security mailing list