[Standards] xmpp.net test SSL trust

Thijs Alkemade thijs at xnyhps.nl
Thu Feb 6 11:23:23 UTC 2014


On 6 feb. 2014, at 10:59, Daniele Ricci <daniele.athome at gmail.com> wrote:

> I think I understand why... my server has no direct TLS port, just
> STARTTLS. Is the certificate tested via STARTTLS as well?

The fact that CAcert certificates are not penalized currently is simply
because it's running Debian, and Debian has CAcert in their trust anchors.

But I'm still a bit torn on whether to change this. I do think that outright
removing them and thereby giving every CAcert server out there an F would be
too harsh.

On the one hand, using CAcert probably means 99% of normal users won't
properly verify your certificate.

On the other hand, there are other alternative trust methods I want to
introduce, like POSH and DANE (already shown, but doesn't influence trust). If
I use the same argument of "nobody's code will trust them based on this", then
those will probably keep getting an F for a long time. That's not very
stimulating.

So I'm thinking about reducing the score for servers relying on CAcert, DANE
or POSH to A- or B and showing a warning about it.

The test will only test StatTLS on port 5222/5269 or the port found in SRV
records. It will not try old-style SSL on port 5223.

Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/standards/attachments/20140206/1305f60e/attachment.sig>


More information about the Standards mailing list