On 12/16/2012 10:55 PM, Claudiu Curcă wrote:
From: [email protected] [mailto:[email protected]] On Behalf
Of Jonas Wielicki
Sent: duminică, 16 decembrie 2012 22:47
To: [email protected]
Subject: Re: [Operators] SSL certificates / private CAs / CACert issue
Hi Claudiu,
Fair point, although I find it very hard to believe that anyone nowadays still
runs an email server or Jabber server and hasn't completely turned off
plaintext comms. Using plaintext comms for such communication is wrong on so
many levels that I don't even want to get into such a discussion.
Agreed on the moral point. However, I'd like to see stats on how many public
services allow plaintext comm and which ratio of those even accepts plaintext
auth over the unencrypted channel.
I, for myself, have enabled unencrypted communications on my XMPP service, even
for s2s. Why? Because the documentation of the server software I use recommends
it to increase interoperability. Because other servers might reject my fine
CACert certifiacte (although I'll look into StartSSL).
regards,
Jonas W.
Unfortunately, what you say is true and no one can say otherwise. However, the
truth of the matter is that this situation should be improved (mainly by
convincing the Ops to use proper certificates and discourage the use of
unsecured connection and CAs doing a better job of ending up in Trust Store
lists), not the other way around. If everyone started putting security ahead of
comfort, this situation would not be as it is.
Alas, this is just wishful thinking...
Claudiu
Hi all,
can anyone tell me what is the difference between the certs the CACert
and our 'private' CA are issuing?
I do see only one - CACert is for some unknown reason accepted by most
of the XMPP software. Once you would like to push such restrictive SSL
rules you should start with rejecting the CACert certificates and inform
all XMPP software developers that they should remove their root certs
from the list of trusted CAs. In other case I do not see the reason why
some XMPP servers should reject any other CAs in the world.
I do appreciate work of all people in the CACert and like them, but I
see this as an grey area on this front in XMPP world. And nobody wants
to touch it because it smells.
--
Peter
