Re: [Standards] XMPP server certificate
Jonathan Schleifer wrote: Dave Cridland wrote: Applications shouldn't be installing trust anchors without a lot of confirming with the user. I'm not talking about an application installing a system-wide root certificate. But if the StartCom certificate is included and used for just that app, it only makes sense to add CACert as well. No it doesn't, StartCom has completed their audit, and gone thru all of the rigors to be included in the browsers, CAcert has not. smime.p7s Description: S/MIME Cryptographic Signature
Re: [Standards] XMPP server certificate
Peter Saint-Andre wrote: > Who said that including CAs is evil? > > My argument is that policies differ. Just because a lot of people use > a particular CA doesn't make it good. Deciding on policies is something the user should do, not the client. I for example trust something open and transparent like CACert much more than some company like VeriSign etc. -- Jonathan signature.asc Description: PGP signature
Re: [Standards] XMPP server certificate
On 12/13/09 11:04 AM, Jonathan Schleifer wrote: > Peter Saint-Andre wrote: > >> Not really. It depends on what level of trust you have in those >> anchors. CAs are not interchangeable. > > Either you include additional CAs and then it makes sense to include > others that are used by a lot of XMPP services, or you don't include > any additional CAs at all. It does not make much sense to include one > that is often used, but refuse to include another one that is used about > the same number of service by reasoning that including CAs is evil, > even though it has been done for other CAs. Who said that including CAs is evil? My argument is that policies differ. Just because a lot of people use a particular CA doesn't make it good. Peter -- Peter Saint-Andre https://stpeter.im/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [Standards] XMPP server certificate
On Sun Dec 13 18:04:04 2009, Jonathan Schleifer wrote: Peter Saint-Andre wrote: > Not really. It depends on what level of trust you have in those > anchors. CAs are not interchangeable. Either you include additional CAs and then it makes sense to include others that are used by a lot of XMPP services, or you don't include any additional CAs at all. It does not make much sense to include one that is often used, but refuse to include another one that is used about the same number of service by reasoning that including CAs is evil, even though it has been done for other CAs. Here we agree, although we differ in the resolution... Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Re: [Standards] XMPP server certificate
Peter Saint-Andre wrote: > Not really. It depends on what level of trust you have in those > anchors. CAs are not interchangeable. Either you include additional CAs and then it makes sense to include others that are used by a lot of XMPP services, or you don't include any additional CAs at all. It does not make much sense to include one that is often used, but refuse to include another one that is used about the same number of service by reasoning that including CAs is evil, even though it has been done for other CAs. -- Jonathan signature.asc Description: PGP signature
Re: [Standards] XMPP server certificate
On Sun Dec 13 17:55:29 2009, Peter Saint-Andre wrote: On 12/13/09 10:41 AM, Jonathan Schleifer wrote: > Dave Cridland wrote: > >> Applications shouldn't be installing trust anchors without a lot of >> confirming with the user. > > I'm not talking about an application installing a system-wide root > certificate. But if the StartCom certificate is included and used for > just that app, it only makes sense to add CACert as well. Not really. It depends on what level of trust you have in those anchors. CAs are not interchangeable. Right, the goal isn't just to make the warnings go away. :-) Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Re: [Standards] XMPP server certificate
On 12/13/09 10:41 AM, Jonathan Schleifer wrote: > Dave Cridland wrote: > >> Applications shouldn't be installing trust anchors without a lot of >> confirming with the user. > > I'm not talking about an application installing a system-wide root > certificate. But if the StartCom certificate is included and used for > just that app, it only makes sense to add CACert as well. Not really. It depends on what level of trust you have in those anchors. CAs are not interchangeable. Peter -- Peter Saint-Andre https://stpeter.im/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [Standards] XMPP server certificate
On Sun Dec 13 17:41:31 2009, Jonathan Schleifer wrote: Dave Cridland wrote: > Applications shouldn't be installing trust anchors without a lot of > confirming with the user. I'm not talking about an application installing a system-wide root certificate. But if the StartCom certificate is included and used for just that app, it only makes sense to add CACert as well. Applications should also not be using their own internal trust anchors. :-) Suggesting ones to add, perhaps only for that application, is sensible. Of course, operating systems usually come preinstalled with a default list - that's a reasonable trade-off. Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Re: [Standards] XMPP server certificate
Dave Cridland wrote: > Applications shouldn't be installing trust anchors without a lot of > confirming with the user. I'm not talking about an application installing a system-wide root certificate. But if the StartCom certificate is included and used for just that app, it only makes sense to add CACert as well. -- Jonathan signature.asc Description: PGP signature
Re: [Standards] XMPP server certificate
On Sun Dec 13 13:59:08 2009, Jonathan Schleifer wrote: Maciek Niedzielski wrote: > If Psi didn't complain then you either have CACert root certificate > in your system cert store or in psi cert store (which is not there by > default - we only bundle startcom/startssl) Hm, that's interesting, as I can't even remember getting a warning on Windows - and I definitely don't have cacert.org in the system cert store there. On Linux, it might very well be that it is there. Anyway, is there a reason for not including it in Psi? I guess 90% of the servers use either StartCom or CACert. Applications shouldn't be installing trust anchors without a lot of confirming with the user. Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Re: [Standards] XMPP server certificate
Maciek Niedzielski wrote: > If Psi didn't complain then you either have CACert root certificate > in your system cert store or in psi cert store (which is not there by > default - we only bundle startcom/startssl) Hm, that's interesting, as I can't even remember getting a warning on Windows - and I definitely don't have cacert.org in the system cert store there. On Linux, it might very well be that it is there. Anyway, is there a reason for not including it in Psi? I guess 90% of the servers use either StartCom or CACert. -- Jonathan signature.asc Description: PGP signature
Re: [Standards] XMPP server certificate
On Sunday 13 December 2009 13:52:28 Jonathan Schleifer wrote: > For clients, I don't know of any major one which doesn't know about the > CACert root certificate. I've never seen a warning about my CACert > certificate in Psi, Gajim, Pidgin, etc. - and I tried a lot of clients. If Psi didn't complain then you either have CACert root certificate in your system cert store or in psi cert store (which is not there by default - we only bundle startcom/startssl) -- Maciek xmpp:mache...@uaznia.net
Re: [Standards] XMPP server certificate
Alaric Dailey wrote: > um what servers and clients? Most Jabber servers don't check certs at all atm, but those who do usually know the CACert root certificates. For clients, I don't know of any major one which doesn't know about the CACert root certificate. I've never seen a warning about my CACert certificate in Psi, Gajim, Pidgin, etc. - and I tried a lot of clients. -- Jonathan signature.asc Description: PGP signature