While JD's comments sum this up nicely, I just want to reiterate loudly that self-signed certificates alone truly are worthless. I'm not even talking about man in the middle attacks either. As a form of identity, a self-signed cert is as effective as the "From:" header in good old SMTP, and this would allow spammers to get right in and start faking domains.
TLS + dialback is an intriguing idea. It wouldn't impress the security mafia one bit, but at least you wouldn't open the door to spammers. -Justin On Thursday 11 November 2004 04:49 pm, JD Conley wrote: > Allowing self signed (or otherwise untrusted) certs with STARTTLS + > EXTERNAL is opening yourself up for a serious security breach. Using it > with stream:features over dialback would give you encryption with a self > signed cert and trust through the DNS system. STARTTLS + Dialback > offers some level of trust along with encryption without having to worry > about the complexities of a certificate chain. > > So, I agree, with both of you. :) We have implemented STARTTLS + > EXTERNAL for S2S in SoapBox Server and allow administrators to choose > the level of trust they require. I assume if the community gets behind > it we'll implement STARTTLS + dialback as well. > > JD > > > -----Original Message----- > > From: Peter Saint-Andre [mailto:[EMAIL PROTECTED] > > Sent: Thursday, November 11, 2004 4:05 PM > > To: [EMAIL PROTECTED] > > Subject: [jdev] TLS and self-signed certs > > > > http://web.amessage.info/news/article/2981 asserts that one cannot use > > self-signed certs with TLS for securing XMPP streams. I don't think > > that's true, since we took that into account when writing RFC3920. > > > > Also, I am working with the folks from CAcert.org on building > > JabberIDs > > > (for any kind of Jabber entity) into CAcert-issued certificates. > > > > Peter > > _______________________________________________ > jdev mailing list > [EMAIL PROTECTED] > http://mail.jabber.org/mailman/listinfo/jdev _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mail.jabber.org/mailman/listinfo/jdev