Allowing self signed (or otherwise untrusted) certs with STARTTLS + EXTERNAL is opening yourself up for a serious security breach. Using it with stream:features over dialback would give you encryption with a self signed cert and trust through the DNS system. STARTTLS + Dialback offers some level of trust along with encryption without having to worry about the complexities of a certificate chain.
So, I agree, with both of you. :) We have implemented STARTTLS + EXTERNAL for S2S in SoapBox Server and allow administrators to choose the level of trust they require. I assume if the community gets behind it we'll implement STARTTLS + dialback as well. JD > -----Original Message----- > From: Peter Saint-Andre [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 11, 2004 4:05 PM > To: [EMAIL PROTECTED] > Subject: [jdev] TLS and self-signed certs > > http://web.amessage.info/news/article/2981 asserts that one cannot use > self-signed certs with TLS for securing XMPP streams. I don't think > that's true, since we took that into account when writing RFC3920. > > Also, I am working with the folks from CAcert.org on building JabberIDs > (for any kind of Jabber entity) into CAcert-issued certificates. > > Peter _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mail.jabber.org/mailman/listinfo/jdev
