On 2013-11-03 at 18:01 -0800, Peter Kieser wrote:
> Shouldn't the SSL certificate CN match the hostname listed in the "IN
> SRV" record, since that's the hostname a S2S connection will open to.
Not unless the peer server's operator is publishing DNSSEC records for
the domain and the connection in
On 2013-10-29 4:20 PM, Peter Saint-Andre wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In case you missed it during all the TLS discussion, we've repurposed
xmpp.net to function as an "IM Observatory". This makes it easy to
figure out whether your service offers a high level of security.
On 2013-11-03 at 11:49 +0100, Thijs Alkemade wrote:
> Also, if you assume clients always pick the strongest encryption cipher they
> support, then I have a surprise for you:
>
> https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/
Then that's a client bug, from the traitorous s
On 3 nov. 2013, at 07:27, Phil Pennock wrote:
> So as long as SSLv2 is not allowed and the server private key is long
> enough to have a reasonable expected lifetime (avoiding compromise and
> more problems than just the attacker's ability to sign a downgrade
> attack), surely a server operator
Little note, Microsoft Windows XP and Windows Server 2003 support TLS
1.0 with ciphers:
* TLS_RSA_WITH_RC4_128_MD5
* TLS_RSA_WITH_RC4_128_SHA
* TLS_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_DES_CBC_SHA
* TLS_DHE_DSS_WITH_DES_CBC_SHA
* TLS_RSA_EXPORT
On 2013-11-01 at 14:01 +0100, Thijs Alkemade wrote:
> 1) Enable cipher with less than 128 bit keys (DES, EXPORT-*, not 3DES,
>which is assumed 168).
> 3) Enable SSLv2.
> We can debate about 4) for a long time, but 1), 2) and 3) have been bad
> practices for at least a decade, some even longer
4) Use an untrusted or invalid certificate.
We can debate about 4) for a long time
We can debate about "untrusted", but we don't need to do that for "invalid".
On 1 nov. 2013, at 13:33, Moonchild wrote:
> In addition, only including score grade "A" is a little short-sighted, IMHO,
> as server operators may be very good admins running a secure server while
> not getting a grade A (for example by offering potentially weaker ciphers
> for extended compati
Hi,
Moonchild wrote:
Although there's some merit to Aryo's suggestions, there's a problem with it:
Most people should primarily be looking for an XMPP server that is in their
region of the world, not necessarily one that "scores highest". Sorting by
country/region is therefore preferred.
The sho
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Folks,
Although there's some merit to Aryo's suggestions, there's a problem with it:
Most people should primarily be looking for an XMPP server that is in their
region of the world, not necessarily one that "scores highest". Sorting by
country/regi
A with the "See more" link if a visitor decides to
see the full list.
I hope my suggestions above is quite understandable and reasonable.
Regards,
Aryo S.
http://mayplaces.com
Original Message
From: Peter Saint-Andre
To: "XMPP Operators Group"
Sent: Wed, Oct 30,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/30/2013 03:50 PM, Phil Pennock wrote:
> On 2013-10-30 at 10:22 +0100, Thijs Alkemade wrote:
>> In my opinion, “trusted” should not mean “can xmpp.net make a
>> connection it trusts” but rather “can (most) end users make a
>> connection without ce
On 2013-10-30 at 10:17 +0100, Tomek Nagisa wrote:
> > Looks cool. Is there an intention to support TLSA+DNSSEC
> > providing a trust anchor to override the automatic F grade
> > for having an untrusted CA cert?
>
> Change TLSA record from "IN TLSA (2 0 0 ..." to " IN TLSA (3 0 0 "?
No, because
On 2013-10-30 at 10:22 +0100, Thijs Alkemade wrote:
> In my opinion, “trusted” should not mean “can xmpp.net make a connection it
> trusts” but rather “can (most) end users make a connection without certificate
> warnings”. Currently, I’m not aware of any client supporting DANE. (This also
> covers
On 30 okt. 2013, at 06:55, Phil Pennock
wrote:
> Signed PGP part
> On 2013-10-29 at 17:20 -0600, Peter Saint-Andre wrote:
> > In case you missed it during all the TLS discussion, we've repurposed
> > xmpp.net to function as an "IM Observatory". This makes it easy to
> > figure out whether your
> Looks cool. Is there an intention to support TLSA+DNSSEC
> providing a trust anchor to override the automatic F grade
> for having an untrusted CA cert?
Change TLSA record from "IN TLSA (2 0 0 ..." to " IN TLSA (3 0 0 "?
--
K
smime.p7s
Description: S/MIME cryptographic signature
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
On 2013-10-29 at 17:20 -0600, Peter Saint-Andre wrote:
> In case you missed it during all the TLS discussion, we've repurposed
> xmpp.net to function as an "IM Observatory". This makes it easy to
> figure out whether your service offers a high lev
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In case you missed it during all the TLS discussion, we've repurposed
xmpp.net to function as an "IM Observatory". This makes it easy to
figure out whether your service offers a high level of security. Just
visit https://xmpp.net/ and type your domain
18 matches
Mail list logo
