On 13 nov. 2013, at 12:56, Dave Cridland <d...@cridland.net> wrote: > Then there's the "same-cert" shortcut, where the receiver connects to the > authoritative server and compares certs. This is an interesting case, because > we're deriving identity (and therefore authenticating) from the certificate, > but the certificate isn't sufficient to authorize - so we dialback to the > authoritative server and if the certificate matches, this is sufficient > authorization. > > What we're now debating is whether we need a trusted identity in same-cert, > or whether a self-signed certificate is sufficient. We need to be assured > that the identity is unique - that is, that the private key is known only to > the authorized party, basically, and I'm personally concerned that there > could be cases of TLS and/or XMPP implementations shipping with a sample > certificate then used in production. > > What do people think? > > Dave.
I’ve added a table to the xmpp.net stats page showing which domains share a public key: https://xmpp.net/reports.php#sharesprivatekeys It checks the SPKI field, so the certificates may be different but the public key on them is the same. Of course many are harmless false positives, there might be good reasons why two domains share a key. But those of note are: Prosody's default key: F7:D9:2E:68:43:43:A9:EA:2E:BE:5F:FA:4B:B7:B9:25:EC:3C:03:5B:85:B5:C4:38:48:0E:8A:9A:71:66:E6:E6 Ejabberd's default key: C5:78:17:B1:34:90:54:D0:5A:16:A4:C6:71:80:6D:C3:F8:8B:F1:31:3D:64:BD:42:8F:1F:C5:D9:21:EB:99:BE Thijs
