-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/23/13 9:06 AM, Jonas Wielicki wrote: > Hi all, > > It's been discussend and I'm keen to find out about authenticated > and encrypted s2s. > > So I wonder what, if any, the current “standards” or suggestions on > this one are. I'm a fan of CACert, and I'd like to stick for that. > How's the reputation of CACert in the XMPP community?
I was somewhat involved with CACert early on. At the time I set up the XMPP Intermediate CA, I looked seriously at both CACert and StartCom. CACert was a mess back then, standard security / CA policies were not followed, etc. Since then, other folks have worked to clean it up, but I have not had time to keep track of their progress. CACert is still not in the most common certificate bundles (Mozilla, etc.), and I know the CACert folks are working to achieve that status but have not yet done so. So basically I am more comfortable with StartCom (now StartSSL), but I like the CACert model quite a bit and I'd be happy to find evidence that they're doing things the right way now. > I believe I read somewhere that hardly anyone really does > validation of the s2s-TLS-connection if one is used at all? Correct, in large measure because Google Talk didn't validate. Now we have the opportunity to change that. > To boil it down: What would I need as a server operator to have > the optimal setup for s2s TLS? > > If there are no standards yet here (although I guess there are > some, based on the behaviour of current implementations), I think > we shall discuss this, with the major blocker “Google Federation” > out of the way. Use server software that correctly validates certificates and will do force-TLS. At least that's a good place to start. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRnjXoAAoJEOoGpJErxa2pJAQP/iWmXN6ddZGoWe6zPVfhYEfz RDKs4npuqX/YGZVzzghHNc2B0nMD2hDi86PFWpv2FUP/WW4cfR4xarkSGbtl2ddK HNVAQBw5OLy+iCIeMI2ZnBnNUyUYeo5+MwBA6jO66EuANV36LiXtZFHFMzsS8/s+ kg3Q1qnIOuYakA1EIbdrwslcURvk69d8T0oaDUfISiCnsspx/C3punuUiO6XbXQ1 m3fixhzEYetcamWwAkTl4u+SbTKS25lkYXNPjryf8w1q+bhPipkChjTPMnV3TVfP x9ECHmXjSevoTWdweBT5d1ZPxRKyHP3dudaO5t+6yzCKGMKlF4HZTBqjsCpdGTnF 17FP5zHWepmDFOxH0K7CO3SjICC3oir8o8+MCtmGZ4m/uY3RCgpBiVFNieuhQohP p2wWwUdNqc1mXmsSVC011Rhjuhhpgiv3vNQvWyFjzWvPsG0CU8+kbLuP1V/0KSHX yFavJJP7t4luJebCRiRqlaQWxtvFMg3tGJMrjppzWTvQnv5L6kxoizJV8aKy58TE Hx840bbTfKq71RDPD6DeWBBo8m1Mq/fdbj2j6InPMycuQ6SKRygpy0twZ/5MVru8 g0S1iK53iSiUwUyo+Uv0ehBkgn8koG5UzhF5CyFa/mp8Z30E40/5eV99xlM/ZpPN RFKTJ6hA1qNP5wvI202K =Oq7U -----END PGP SIGNATURE-----
