On 29 August 2013 10:00, Simon Tennant <[email protected]> wrote: > > > > On 28 August 2013 18:28, Matthew Wild <[email protected]> wrote: >> >> > http://wiki.xmpp.org/web/Securing_XMPP >> >> Only feedback so far: you might want to clarify the "single >> domain"/"multiple domain" thing - DANE is not a requirement for >> securely hosting multiple domains on a single server. I think that >> might confuse people. > > > It's confusing me too. As I understand the current state of things: > > If I lookup the SRV record for example.com, connect to the server and the > certificate matches servername.example.com, I can be pretty certain that I'm > talking to the right server.
Incorrect. If you are claiming to be example.com, it doesn't matter what your SRV record targets are. You need to identify yourself with a certificate for example.com. See http://prosody.im/doc/certificates#which_domain for our docs on this. > However, if example.com returns a SRV record for server.xmpp-hosting.com, > we're dealing with a different beast and DANE / POSHy things need to start > happening to avoid DNS spoofing. (I'm assuming example.com's owner don't > want to be lodging private certs with their XMPP vhosting provider). > > - Is there any reason to worry about DANE stuff for a single domain XMPP > setup? DANE solves a different problem. It allows you to use DNSSEC to bootstrap trust in your certificate. This allows various fun things, including (as I understand it) secure delegation to a hosting provider (which POSH also allows, using a different method) and also the ability to use your own CA, which people can verify through DNSSEC magic as really belonging to you (as the domain owner). > - Is Prosody really the only server that supports DANE? I don't know, but I'll say that whatever support Prosody has for DANE today is still quite experimental... (as is all DANE-supporting software I've seen). I do think we're at the beginning of the "early adopter" stage with it, and it remains to be seen how quickly it will become feasible for secure federation. Regards, Matthew _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
