Hi, On Sun, 27 Oct 2013 21:23:08 -0600, Peter Saint-Andre wrote: > have drafted a plan for upgrading the XMPP network to always-on, > mandatory, ubiquitous encryption. You can find it here:
Great to see a movement towards ubiquitous encryption! Couple of questions: In the software there is: > o provide configuration options to require channel encryption for client-to-server and server-to-server connections While deployed: > o require the use of TLS for both client-to-server and server-to-server connections > o deploy certificates issued by well-known and widely-deployed certification authorities (CAs) While I can see clients wanting to connect to servers that don't follow that manifesto, the software piece should probably also get a 'It SHOULD be on by default.' Or maybe MUST? Question 2, here I might be simply lacking some knowledge, I'm presuming some things. at the software side: > o prefer authenticated encryption (via digital certificates) for server- to-server connections; if authenticated encryption is not available, fall back to opportunistic encryption with identity verification using Server Dialback Whereas the deployment piece says > o require the use of TLS for both client-to-server and server-to-server connections Doesn't that exclude Server Dialback? Please help me understanding this. I still have a third question or remark, on the deployment of certificates issued by 'well-known and widely-deployed CAs.' In short: I'm not a big fan of them and have my doubts about this. But my ideas around it still need to hatch out. Ciao, kwadronaut _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
