[...]
We already had some 'excessive' discussion about it with Peter Saint-Andre this year and didn't 'solve' it. The only outcome of it was that the Jabber.sk service is still not listed in the list of public services and the only reason is that it's using certificate signed by our internal CA. I did accept that and gave Peter more time to think about it as it doesn't harm our service at all.
Peter doesn't have a moral high ground on that topic given that xmpp.org (and muc.xmpp.org, hello council :-)) is running with a self-signed certificate that
a) doesn't contain xmpp.org or muc.xmpp.org (see RFC 6125) b) has expired in October 2010 Maybe public shaming helps :-p [...]
Now let me fall into the situation with SSL certificates in the XMPP world in more details. Just some months before (and it looks like that also these times) the CACert wasn't recognised as an publicly trusted CA by Mozilla foundation [2] (Opera and many more too) because they didn't pass their auditing. But at those times almost all of the jabber servers and clients already accepted certificates signed by them as 'secure'. Looks like that XMPP
XMPP servers tend to accept anything as "usable" for doing TLS encryption. Back in 2007 I had no problems using a revoked certificate (for authentication) either.
See http://mail.jabber.org/pipermail/standards/2007-July/016086.html I recall repeating this this year with similar results. [...] > I would like to give a chance to run any XMPP server with > certificates signed by their private CA without any message rejection. DANE and POSH might help.
