>> 2) TLS and s2s >> >> My users will not have certs for their domains, and even if they did, >> I wouldn't want to be responsible for keeping their private keys >> secret. TLS is not an option for my service. > > Why not? You might think about obtaining cacert certs during > provisioning as a part of your service. You can own the private key > for jabber.domain.com and that would not conflict with any domain.com > certificates they may already have. Then as discussed their DNS host > would put an SRV record to point to your jabber server. I think that > would work anyway...
It would, with a little modification. CAcert, as it should, only gives certificates to the owner of the domain. So if you want to get a certificate for jabber.example.com, then you have to be receiving mail as the administrator for example.com. Case in point, our server (jabber.zim.net.au) has had an expired certificate up for some time now, but because I can't receive the administrative mail for zim.net.au, my co-admin (who does own the domain) has to do the job. And he's lazy, so... no certificate. A system could be set up, however, where his virtual hosting service generates the private key and CSR, and sends the CSR to the owner of the domain. The owner of the domain can then go through whatever process they want (CAcert, Thawte, whatever) to get the certificate and then push that certificate back into the web interface to enable their TLS support. TX
