On Thu, Aug 22, 2013 at 09:32:54AM +0200, Ralph J.Mayer wrote: > Two things come to mind: > - HowTos/WalkThroughs ... how to configure and monitor everything for most > used clients and servers > - verification tools ... a little script that checks your c2s and s2s + a > bunch of servers with good and bad certs
The verification tools in particular are more important than the walkthroughs IMO. I finally enabled secure s2s stuff on my xmpp server last week. I simply don't have any real way of (1) testing that my certificate and its CA chain are sane, and (2) verifying that my server handles real-world remote certs proprly. Oh, and (3) if I need to relax the verification settings so that it doesn't drop traffic due to "bad" certs. Perhaps this could be as simple as (for example) jabber.org running an xmpp echobot that automatically grants subscriptions so folks can test if their server talks properly to a known sane host. Plus additional servers with deliberately wonky-but-legal certs, plus additional servers with deliberately-bad certs. (eg expired, bad CA chain, bad hostname, etc). Come to think of it, there are probably generic TLS connection testers out there; this could be mostly automated. - Solomon -- Solomon Peachy pizza at shaftnet dot org Delray Beach, FL ^^ (email/xmpp) ^^ Quidquid latine dictum sit, altum viditur.
pgpUtSvBoYgfo.pgp
Description: PGP signature
