On 12/17/2012 12:13 AM, Peter Viskup wrote:
I do understand the role of SSL and CAs well.
Let me share some words of one of the CACerts people (from the mailing
thread I post in the beginning):
"One of the problems with CAcert: They sign certificates without any
assurance of the issuer - the same, what StartCom does for class 1
certificates, but StartCom is usually trusted by all major web browsers.
If CAcert would offer certificate signing *only* for assured members,
this would already improve security and trustworthyness, since then you
can be sure, that a CAcert signed certificate is issued by a *known*
person and not just by someone who has control over the mail server of a
domain."
I do understand that list of trusted CAs could lead to "higher"
security, but if we (XMPP operators) do accept CACert or StartCom then
there could be no issue with accepting other CAs. What rules were
followed by accepting these CAs?
The other case is:
you told I am ignorant because I do not follow some standard security
advises and using our own CA for SSL/TLS on our public services. I
fully agree with the security standard and best-practices, but
question is - how many servers do use certificates which are not
signed by trusted CA in XMPP (or SMTP) world. And if the number is
higher than 1-10-20-40-100-1000-Idon'tknowhowmany - aren't you the
ignorant of the reality?
This is the reason of the discussion - recognize how many servers are
using such certificates and/or certificates of CACert or other
low-cost/problematic CAs (StartCom, [compromised]
Verisign?,[compromised] whatever-else).
...and to come with some consensus regarding this issues on the end.
Anyway the CA world in general is in crisis and there are many voices
calling for something which will solve all SPOFs in this design. This
is another grey point on the CA design which should be taken in mind.
These are links to both threads:
[1] ejabberd
http://lists.jabber.ru/pipermail/ejabberd/2012-December/007894.html
[2] XMPP operators
http://mail.jabber.org/pipermail/operators/2012-December/001528.html
--
Peter Viskup
Dear all,
let me share the list of XMPP servers which use 'not secure' SSL certs
on 5223 port:
bbs.docksud.com.ar CN=bbs.docksud.com.ar
jab.undernet.cz CN=Undernet.cz
jabber.dn.ua CN=ejabberd
jabber.freenet.de CN=USERTrust
jabber.od.ua CN=Mickael
jabber.org.by CN=jabber.org.by
jabber.sk CN=TECHTIS
jabber.stammtisch.it CN=jabber.stammtisch.it
jabber.ulm.ccc.de CN=jabber.ulm.ccc.de
jabber.workaround.org CN=jabber.workaround.org
jabber.yorktondigital.ca CN=John
jabberpl.org CN=Certification
jid.pl CN=jid.pl
jis.mit.edu CN=ejabberd
phcn.de CN=phcn.de
silper.cz CN=Frenky
tidesofwar.net CN=tidesofwar.net
tigase.org CN=*.default
tigase.org CN=default
xmpp.org.ru CN=jabber.ttn.ru
CN is common name of the issuer of that cert. I didn't performed deeper
analysis. This is just not complete sight on the issue with the servers
not using [CACert,StartSSL]-signed certs.
I wasn't able to get the certs from all servers and filtered all with
issuer of one of these "/CAcert|StartCom|CA Cert|Thawte|RapidSSL/".
Checked 213 servers (list from jabberes.org or coccinella stats) and got
SSL info on port 5223 from 94 servers only (openssl s_client) and 20 of
them have installed 'wrong' certs.
Hope this helped to see the reality a little (as it is not complete :-) ).
Would be great to have a closer look on the reality with more information.
Best regards,
--
Peter Viskup