Or, alternatively, what I said before, is that the SSL/TLS be two way, that is both the client and the server present certificates (SASL EXTERNAL). Certificates are freely available from start.com, so that needn't be an issue for the client. We just need the mainstream servers, like JAIM and J.O to implement it: and then everyone will catch on.
This also runs along with the SPIMming issue from a while back. As I said, if a client is misbehaving you simply report it to the CA and get the certificate revoked. That would be a huge pain for SPIMmers, they can make accounts as they see fit, but not certificates. In the case of a SPIMmer having their own server, we could try something like the following (the server NEVER authenticates itself with other servers, rather, the client certificate is used for that): * John connects to j.o with his certificate. * He wants to send a message to Fred in jaim.org. * Jaim.org sends a SASL EXTERNAL request to j.o, which forwards it to John. * John sends his certificate to j.o, which then forwards it to jaim.org. * Jaim.org checks his certificate against his CA. * John, and not j.o, is now authenticated on Jaim.org.
