On 2/22/2010 9:41 AM, Peter Saint-Andre wrote:
On 2/22/10 8:35 AM, Jesse Thompson wrote:It looks like StartSSL doesn't offer free wildcard certificates (like crack, the first hit is free)It did in the old days when we had the XMPP ICA. In fact we were in the process of removing that option for Class 1 certs even for the XMPP ICA because of security problems with wildcard certs. Part of the reasoning behind pulling the plug on the XMPP ICA and redirecting admins to startssl.com was that we'd need to perform stronger verification and that infrastructure was already in place at startssl.com but not at xmpp.net.
This feels like a bait and switch. The only reason we bothered with the wildcard certificate was because the XMPP ICA made it easy.
Now, we're tempted to just install our certificate which matches the server name, and create documentation telling users how to bypass the certificate mismatch warnings. Since Google Apps suffers from the same certificate mismatch problem, the reality is that XMPP clients are having to create workflows to make it easy for users to bypass the errors. We might as well stick with this clusterf*ck until xmpp-dna or xmpp-delegate is implemented.
Is there a free option for XMPP certificates?There is: startssl.com (Class 1).
The wildcard certificates are not free, and the verification requirements are going to painful for an organization our size.
If we have to pay, is GoDaddy an option? (they appear to be cheap and less crappy than StartSSL)Feel free to try out GoDaddy and report back. They are not free as far as I know. I do not have experience with their certs, only their domain registration services.
hmm... a $200 experiment -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
