On 05/19/2011 09:33 PM, Glenn Maynard wrote: Hi,
> If discovery is made via XMPP itself, then no additional trust > dependencies are needed. Perform a SRV lookup to find the regular XMPP > server for the domain, connect to it using XMPP's TLS rules (which don't > have this problem), and ask it where its BOSH server is. This is also > far simpler to deploy than DNSSEC. For combined XMPP servers that > handle both XMPP and BOSH, it would require no additional work for the > administrator at all; it would just work. Why on earth would you want to connect using BOSH when you can connect directly? > That has the problem I originally mentioned, though: it would > effectively prevent pointing at a third-party BOSH server. If > 172.16.37.54 is actually bosh.google.com <http://bosh.google.com/>, it > won't have a certificate for _xmppconnect.jabber.org > <http://xmppconnect.jabber.org/>. I assume that's a case BOSH is meant > to support. Well, that argument more or less prevents *any* hosted XMPP solution. If the hosting party doesn't want to carry certificates for all domains they host, then no secure connections are possible, with or without BOSH. best wishes, Winfried
