There's four things you can do with TLS: 1) Compression. This is irrelevant here.
2) Integrity - so you know the bytes that left the peer you're talking to haven't been changed. 3) Confidentiality - so you know the bytes that left the peer you're talking to haven't been seen by anyone else. 4) Authentication - so you know the peer you're talking to. The XSF's list mostly cares about (4), and in the context of TLS, this essentially means we need a trust anchor that we trust (an arbitrary and personal choice) to be at the root of your chain. In common parlance, that's a CA we trust. A private CA is no different, technically, to a known public CA - the difference is that we (arbitrarily) might trust the former and not the latter. (2) and (3) are irrelevant without authentication - you're completely secure to your peer, but have no idea who that peer is. It needn't be the same authentication as in TLS, however. Indeed, you can use Anonymous DH, and not have a certificate at all - it's exactly the same in security terms as RSA (or ECDSA - there's a rant for another time) certificates that you don't trust. It's a bit more convenient to have a cert, mind, because then you can do interesting hacks like DANE and POSH. Parts of DANE work much better if you use a private CA, too (since you can assert a trust anchor within a domain). However, since certificates work in a two-step dance (do I trust the TA? Does the TA trust the cert?), then without a TA agreed between the two parties you're basically going to have to use DANE or POSH. So, solutions: 1) Work with the XSF to have your private CA generally trusted. I think this isn't going to fly, to be honest. 2) Implement DANE at jabber.sk. You'll need to first implement DNSSEC, possibly with look-aside, though it's not clear the XSF can accept look-aside validation for DNSSEC. 3) Implement POSH. You'll basically need a website with a known cert, as I recall. (Note that I've not caught up with POSH in some time). Personally, I'd go for (2), depending on look-aside validation and/or SK's DNSSEC implementation. You'll then need to push for this to be acceptable to the XSF, which may involve pushing DANE within the implementation community, but that's all good as far as I'm concerned, and I'll happily lend my support (and push within Isode for support too). Dave.
