If every XMPP server runs its own CA, then how is that different from every XMPP server offering a self-signed certificate? All of the certs will be issued by unknown authorities, thus making life difficult for end users (those scary security warnings!) and reducing the effectiveness of using common CAs (which can be bundled into operating systems or cert-stores and therefore re-used by clients and servers).
On 11/14/09 2:44 PM, Peter Viskup wrote: > I forgot to solve this. > I have that in ToDo list - I will issue new cert with "Subject > Alternative Name" soon. I just need to find some free time ;-). > I do not have any objections for using our own CA - we just run our own > 'Osiris CA' for all services running on our server. I hope that this > will be not a difficulty to list jabber.sk in your 'Public services list'. > > Regards, > Peter Viskup > > Peter Saint-Andre wrote: > On 8/8/09 8:06 PM, Peter Viskup wrote: > > >>>> - CA: [Osiris CA] (CA certificates available on https://ca.osiris.sk/) >>>> > > When I visit https://ca.osiris.sk/ my browser shows me the following > warning: > > ca.osiris.sk uses an invalid security certificate. > > The certificate is not trusted because the issuer certificate > is unknown. > > The certificate is only valid for *.jabber.sk > > So we seem to have circular trust here (basically, a self-signed > certificate). > > Do you have objections to using a certificate from a recognized CA, such > as StartCom or even CAcert? > > Peter >
smime.p7s
Description: S/MIME Cryptographic Signature
