On Fri, Nov 19, 2010 at 10:25, Peter Saint-Andre <[email protected]> wrote: > On 11/19/10 8:22 AM, Stephen Paul Weber wrote: >> On Wed, Nov 17, 2010 at 19:51, Kim Alvefur <[email protected]> wrote: >>> Imagine a server with a self signed certificate. >> >> Why is a production server using a self-signed certificate? StartSSL >> will give personal sites and some others a cert for free. Others can >> either get one pretty cheap, or we could convince the XMPP community >> to support CACert. > > Given that I used to run the XMPP CA, I heartily agree that it's easy > enough for people to obtain certificates. > > Either the admins are too lazy to do so or, in the case of large hosting > services, there are operational difficulties.
So, I'll grant ops difficulties for SSL, which is why we have this problem in the HTTP community. XMPP supports TLS, though, and IIRC SRV support allows using different ports, so none of the "must have IP" problems are present. I actually don't use self-signed even for my HTTP, because it's safer (IMHO) to trust CACert on all my computers rather than a self-signed cert. This also means that when the cert changes I don't have to re-say-yes everywhere. -- Stephen Paul Weber, @singpolyma Please see <http://singpolyma.net> for how I prefer to be contacted. This message was sent from the GMail webmail interface. It's probably not signed. This is a problem.
