Re: [Operators] [Fwd: Re: Secure Communications Week]

Fri, 15 Aug 2008 14:58:08 -0700 

Johansson Olle E wrote:


15 aug 2008 kl. 20.11 skrev Peter Saint-Andre:


Peter Saint-Andre wrote:

Forwarding a message sent before I fixed a Mailman restriction...
---------- Forwarded message ----------

From: Garrett Wollman <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>>
To: XMPP Operators Group <[email protected] 
<mailto:[email protected]>>

Date: Fri, 15 Aug 2008 13:18:11 -0400
Subject: Re: [Operators] Secure Communications Week
<<On Fri, 15 Aug 2008 07:59:06 -0600, Peter Saint-Andre
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> said:
> How about TLS with self-signed certs + server dialback? At least that
> would give us channel encryption.
That's no better than anonymous TLS (without certificates).


This is true. I have two questions:

1. Is TLS+Dialback better than Dialback without TLS?

Yes. Confidentiality is always an improvement.


Agreed. As long as people know what they're doing. :)


2. How *should* we handle certificates that are self-signed, issued by 
unknown CAs, etc.?



There is a lot we could add in a best-practise document. Self-cigned 
certificates doesn't
belong to a CA, but can still be identified with a fingerprint. Postfix 
(e-mail server) supports

both fingerprints and CA-style certificate handling.


Yes it would be good to see how this is handled in mail servers.


 From reading server manuals and configurations, we could both improve 
configurations
and improve documentation of this in order to make more people install 
certificates and

enable encryption.


Authentication of domains can be assisted by a CA, or by DNS-sec. There 
are options
now to store server-side SSH key fingerprints in DNS, certified by 
DNS-sec. We could
certainly recommend doing the same with XMPP server certificate 
fingerprints and have

that as a "lightweight" option. That won't require a global CA.



I suppose one question is: how do you check fingerprints? Do you find 
contact information for the hostmaster and call him on the phone? Does 
XMPP traffic get queued up while you do that? Do you refuse the 
connection and flag the s2s request for action by the xmpp admin? And is 
all that really easier in the end than requesting a cert at xmpp.net?


So yes, a best practices document seems like a good idea...

/psa




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to