On Thursday 20 November 2003 11:39 pm, Matthias Wimmer wrote: > Justin Karneges schrieb am 2003-11-20 16:46:46: > > I hope you're not planning on using a cert-less TLS between servers. > > That would be a really bad precedent to set. > > There are not much servers with certificates signed by one of the big CAs - > I know none. Therefore we still need dialback. But it would be nice > for this connections to be at least protected against passive attacks by > encrypting the stream. > > I agree that this is not how it should be ideally, but it wouldn't help > XMPP/Jabber if we require each server to own a commercial certificate as > we would loose most if not all free servers.
Yes, this is the unfortunate reality. I have always wondered if maybe the JSF could act as an independent CA, to create free certs for everyone. It would mean that servers (and clients too, I suppose) would have to bundle the JSF certificate, but this would not be a huge deal. I'm not sure how the JSF would handle proper identification of those who apply.. Maybe it could just be a simple first-come first-serve thing, and if someone else gets a cert for your domain before you do, then you can ping stpeter to resolve the dispute. ;-) But then maybe I'm asking for too much, considering jabber.org still has an invalid certificate. :P -Justin _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
