On 3/21/2013 9:45 AM, Peter Saint-Andre wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/21/13 6:59 AM, Jesse Thompson wrote:
On 3/21/2013 1:44 AM, Philipp Hancke wrote:
Well, TLS usage is a mess. Welcome to nobody cares.
It's not [only] that they don't care. It's just plain impractical,
to the point of infeasibility, for an XMPP operator to maintain
valid matching certificates for many hosted domains.
Yes yes yes!
That's why Matt Miller and I have been working on a suite of specs
about "domain name associations"...
https://datatracker.ietf.org/doc/draft-saintandre-xmpp-dna/
https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/ -
likely will be merged with
https://datatracker.ietf.org/doc/draft-ietf-dane-srv/
https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/
Jesse (and other operators), your feedback on those specs would be
*very* much appreciated.
At a glance, I think that you're definitely on the right track. Sole
reliance on DNSSEC should be avoided. I like the POSH technique; it
looks like you've got the security issue addressed (as compared to
things like the Thunderbird autoconfiguration protocol), and you've got
redirection covered too.
I'll try to think about issues that might conceptually crop up in a
practical deployment. Is there something specific (as a service
operator) you want me to look at?
Thanks,
Jesse
