[Standards] compliance: cert(s)

Matthias Wimmer m at tthias.eu
Fri Jun 15 20:32:37 UTC 2007

Hi Justin!

Justin Karneges schrieb:
> The XSF runs an ICA, but that alone is not enough of a reason for XMPP 
> developers and users to trust it.  The reason the XMPP ICA is interesting is 
> because it is under StartCom control, and StartCom is widely trusted.  To 
> better understand what I mean, just imagine if the XMPP CA was an independent 
> root CA.  The value comes not from the XSF's booming voice, but from 
> StartCom. :)

> Anyway, there's nothing wrong with having a recommendation, and I see you've 
> already published new versions of the XEP with it.  However, it does come off 
> as an advertisement, which is a strange thing to have in a XEP.  You could 
> just as well advertise Equifax, I'm sure they have a number of XMPP domain 
> certificates issued too.
> Right, bundling does have value.  The Psi 0.11 release candidate ships the 
> StartCom root, for example.  However, Psi only does this because Mozilla does 
> this.  Really, it is important here to realize who is in a position to vouch 
> for trust.  XSF and Psi are unable do this, but the Mozilla Foundation is, 
> and so that's the authority Psi draws from, *not* any XSF recommendation.

+3 ... one for each chapter ...

While I do bundle the StartCom root certificate with jabberd14 as well,
I also do not do this because of any XEP.

Me as well, I would consider it at least very strange if any XEP
advertizes or recommends any certification authority. You also won't
find any recommended CA in RFC 2818 (HTTP over TLS).


Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the Standards mailing list