deckrider spake unto us the following wisdom: > > I think you might have missed the point of this discussion. I believe > > my DNS records are correct (I don't have all the records you do, but I > > DO have the SRV records). > > > > I'm was mostly just raising the point that there doesn't seem to be a > > way for someone else's domain to virtually host a jabber server for > > your domain without there being a certificate mismatch. > > Hmmmm, I was thinking that depended on what the certificate was matched > against: if the example.com domain's DNS SRV records pointed to > talk.l.google.com and the certificate that talk.l.google.com presented > matched talk.l.google.com then I would assume that there _would_ be a > match, and everyone would be happy.
No. The thread Mark pointed people to earlier discusses this.
Basically, it's really easy to give out bogus SRV records (or bogus
anything DNS records). You want to verify the certificate against the
host the user thinks they are connecting to, not the host some
untrusted and potentially malicious DNS server spewed forth.
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
signature.asc
Description: Digital signature
_______________________________________________ Support mailing list Support@pidgin.im http://pidgin.im/cgi-bin/mailman/listinfo/support
