On 2/22/10 11:27 AM, Jesse Thompson wrote: > On 2/22/2010 9:41 AM, Peter Saint-Andre wrote: >> On 2/22/10 8:35 AM, Jesse Thompson wrote: >>> It looks like StartSSL doesn't offer free wildcard certificates (like >>> crack, the first hit is free) >> >> It did in the old days when we had the XMPP ICA. In fact we were in the >> process of removing that option for Class 1 certs even for the XMPP ICA >> because of security problems with wildcard certs. Part of the reasoning >> behind pulling the plug on the XMPP ICA and redirecting admins to >> startssl.com was that we'd need to perform stronger verification and >> that infrastructure was already in place at startssl.com but not at >> xmpp.net. > > This feels like a bait and switch.
It is a recognition of the changed security landscape on the net. There are significant security issues related to wildcard certificates. Would you like me to find some URLs about those security issues? > The only reason we bothered with the > wildcard certificate was because the XMPP ICA made it easy. IMHO they are still easy at startssl.com, but they are not free because they are issued only to Class 2 users. As I understand things, it is not free to become a Class 2 user because identity verification is necessary and there is more work involved in that (the price is something like $50 for two years IIRC). But I do not speak for StartSSL so feel free to contact them directly about their policies and pricing. We (the XSF) had a good relationship with them while we offered xmpp.net but there is no official relationship any longer. > Now, we're tempted to just install our certificate which matches the > server name, and create documentation telling users how to bypass the > certificate mismatch warnings. Since Google Apps suffers from the same > certificate mismatch problem, the reality is that XMPP clients are > having to create workflows to make it easy for users to bypass the > errors. We might as well stick with this clusterf*ck until xmpp-dna or > xmpp-delegate is implemented. Yes you can go down that route, sure. Let us know how it goes. :) Personally I think that provides a poor user experience and I would avoid it for $25 a year. >>> Is there a free option for XMPP certificates? >> >> There is: startssl.com (Class 1). > > The wildcard certificates are not free, and the verification > requirements are going to painful for an organization our size. See above. >>> If we have to pay, is GoDaddy an option? (they appear to be cheap and >>> less crappy than StartSSL) >> >> Feel free to try out GoDaddy and report back. They are not free as far >> as I know. I do not have experience with their certs, only their domain >> registration services. > > hmm... a $200 experiment I suppose you could investigate CAcert if $25 a year is too much to pay over at startssl.com. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
