15 aug 2008 kl. 20.11 skrev Peter Saint-Andre:
Peter Saint-Andre wrote:Forwarding a message sent before I fixed a Mailman restriction... ---------- Forwarded message ----------From: Garrett Wollman <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] >> To: XMPP Operators Group <[email protected] <mailto:[email protected] >>Date: Fri, 15 Aug 2008 13:18:11 -0400 Subject: Re: [Operators] Secure Communications Week <<On Fri, 15 Aug 2008 07:59:06 -0600, Peter Saint-Andre <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> said:> How about TLS with self-signed certs + server dialback? At least that> would give us channel encryption. That's no better than anonymous TLS (without certificates).This is true. I have two questions: 1. Is TLS+Dialback better than Dialback without TLS?
Yes. Confidentiality is always an improvement.
2. How *should* we handle certificates that are self-signed, issued by unknown CAs, etc.?
There is a lot we could add in a best-practise document. Self-cigned certificates doesn't belong to a CA, but can still be identified with a fingerprint. Postfix (e-mail server) supports
both fingerprints and CA-style certificate handling.From reading server manuals and configurations, we could both improve configurations and improve documentation of this in order to make more people install certificates and
enable encryption.Authentication of domains can be assisted by a CA, or by DNS-sec. There are options now to store server-side SSH key fingerprints in DNS, certified by DNS- sec. We could certainly recommend doing the same with XMPP server certificate fingerprints and have
that as a "lightweight" option. That won't require a global CA. Just a few thoughts in response to this mail and other mails. /O
smime.p7s
Description: S/MIME cryptographic signature
