On Mar 21, 2013, at 3:47 PM, Jesse Thompson <jesse.thomp...@doit.wisc.edu> wrote:
> On 3/21/2013 9:45 AM, Peter Saint-Andre wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 3/21/13 6:59 AM, Jesse Thompson wrote: >>> On 3/21/2013 1:44 AM, Philipp Hancke wrote: >>>> Well, TLS usage is a mess. Welcome to nobody cares. >>> >>> It's not [only] that they don't care. It's just plain impractical, >>> to the point of infeasibility, for an XMPP operator to maintain >>> valid matching certificates for many hosted domains. >> >> Yes yes yes! >> >> That's why Matt Miller and I have been working on a suite of specs >> about "domain name associations"... >> >> https://datatracker.ietf.org/doc/draft-saintandre-xmpp-dna/ >> >> https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/ - >> likely will be merged with >> https://datatracker.ietf.org/doc/draft-ietf-dane-srv/ >> >> https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/ >> >> Jesse (and other operators), your feedback on those specs would be >> *very* much appreciated. > > At a glance, I think that you're definitely on the right track. Sole > reliance on DNSSEC should be avoided. I like the POSH technique; it looks > like you've got the security issue addressed (as compared to things like the > Thunderbird autoconfiguration protocol), and you've got redirection covered > too. > > I'll try to think about issues that might conceptually crop up in a practical > deployment. Is there something specific (as a service operator) you want me > to look at? > I'm definitely curious about the feasibility for operators (or the delegators to operators) to deploy any or all of the methods. This would include getting the right files in the right places. But really, any and all feedback is most appreciated. Thanks! - m&m Matthew A. Miller < http://goo.gl/LK55L >
smime.p7s
Description: S/MIME cryptographic signature
