On 2/22/2010 12:39 PM, Peter Saint-Andre wrote:
On 2/22/10 11:27 AM, Jesse Thompson wrote:On 2/22/2010 9:41 AM, Peter Saint-Andre wrote:On 2/22/10 8:35 AM, Jesse Thompson wrote:It looks like StartSSL doesn't offer free wildcard certificates (like crack, the first hit is free)It did in the old days when we had the XMPP ICA. In fact we were in the process of removing that option for Class 1 certs even for the XMPP ICA because of security problems with wildcard certs. Part of the reasoning behind pulling the plug on the XMPP ICA and redirecting admins to startssl.com was that we'd need to perform stronger verification and that infrastructure was already in place at startssl.com but not at xmpp.net.This feels like a bait and switch.It is a recognition of the changed security landscape on the net. There are significant security issues related to wildcard certificates. Would you like me to find some URLs about those security issues?
I'm aware of the issues with wildcard certificates. I cringed the first time the XMPP standards foundation offered it as the only practical solution for virtual domain hosting. I was, and still am, uncomfortable obtaining a wildcard certificate for an organization as large as ours. I took solace in the fact that the XMPP ICA certificate authority was obscure and the certificates were supposed to be used only for XMPP. Now that that has changed, I feel that wildcard certificates are no longer a valid alternative for hosting providers that wish to avoid certificate warnings.
Jesse
The only reason we bothered with the wildcard certificate was because the XMPP ICA made it easy.IMHO they are still easy at startssl.com, but they are not free because they are issued only to Class 2 users. As I understand things, it is not free to become a Class 2 user because identity verification is necessary and there is more work involved in that (the price is something like $50 for two years IIRC). But I do not speak for StartSSL so feel free to contact them directly about their policies and pricing. We (the XSF) had a good relationship with them while we offered xmpp.net but there is no official relationship any longer.Now, we're tempted to just install our certificate which matches the server name, and create documentation telling users how to bypass the certificate mismatch warnings. Since Google Apps suffers from the same certificate mismatch problem, the reality is that XMPP clients are having to create workflows to make it easy for users to bypass the errors. We might as well stick with this clusterf*ck until xmpp-dna or xmpp-delegate is implemented.Yes you can go down that route, sure. Let us know how it goes. :) Personally I think that provides a poor user experience and I would avoid it for $25 a year.Is there a free option for XMPP certificates?There is: startssl.com (Class 1).The wildcard certificates are not free, and the verification requirements are going to painful for an organization our size.See above.If we have to pay, is GoDaddy an option? (they appear to be cheap and less crappy than StartSSL)Feel free to try out GoDaddy and report back. They are not free as far as I know. I do not have experience with their certs, only their domain registration services.hmm... a $200 experimentI suppose you could investigate CAcert if $25 a year is too much to pay over at startssl.com. Peter
-- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
