On 11/19/10 8:28 AM, Stephen Paul Weber wrote: > On Fri, Nov 19, 2010 at 10:25, Peter Saint-Andre <[email protected]> wrote: >> On 11/19/10 8:22 AM, Stephen Paul Weber wrote: >>> On Wed, Nov 17, 2010 at 19:51, Kim Alvefur <[email protected]> wrote: >>>> Imagine a server with a self signed certificate. >>> >>> Why is a production server using a self-signed certificate? StartSSL >>> will give personal sites and some others a cert for free. Others can >>> either get one pretty cheap, or we could convince the XMPP community >>> to support CACert. >> >> Given that I used to run the XMPP CA, I heartily agree that it's easy >> enough for people to obtain certificates. >> >> Either the admins are too lazy to do so or, in the case of large hosting >> services, there are operational difficulties. > > So, I'll grant ops difficulties for SSL, which is why we have this > problem in the HTTP community. XMPP supports TLS, though, and IIRC > SRV support allows using different ports, so none of the "must have > IP" problems are present.
The issue is not multiple IP addresses, the issue is managing 10,000 certificates. Now, maybe that's not really so hard -- it would be good to get some feedback from large operators about that (Google Apps, GMX, DreamHost, etc.). Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
