[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)

Dirk Meyer dmeyer at tzi.de
Fri Feb 13 12:45:13 UTC 2009

Johansson Olle E wrote:
> I think we should change the text about self-signed vs CA-signed that
> is currently a bit ambigous. I know that Dirk's use case is not CA-
> related, but I still think that the XEP should be more neutral and I
> see a lot of use cases where a CA will be required.

I added the text on request based on a discussion on the summit (with
you?). The only use case I could think of was a company internal use of
XMPP. Maybe other use cases requiring a CA should be added to the
beginning of the doc. Can you write down / outline some use cases?

> A recommendation for server developers would be to implement a model
> where the admin can set a policy for the use of certificates for SASL
> external:
> - Only trusted certificates for bare JID certificates and any cert for
> full JID ("bot") certificates
> - Only trusted certificates for both bare JID and full JID certificates
> - Any kind of certificate

>From your other mail:

> "A free public XMPP server MUST allow self-signed certificates and
> certificatessigned by a CA unknown to the server."  (line 184)

> I don't think this XEP is a good place to define policys and
> definitions of "a free public XMPP server". That's outside of the
> scope.  Adding a MUST here requires us to define "free public XMPP
> server".

Yes, I also don't like how I wrote it down. I wrote it because I guess
most people will not have a certificate for all their devices. Therefore
I wanted to make sure that I can use self-signed certificates on public
servers such as xmpp.org.


May brute force be with you.

More information about the Standards mailing list