On Tue, Oct 29, 2013 at 5:46 PM, Peter Saint-Andre <[email protected]>wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/29/13 11:40 AM, Jesse Thompson wrote: > > On 10/28/2013 2:52 PM, Peter Saint-Andre wrote: > >> On 10/28/13 1:41 PM, Jesse Thompson wrote: > >>> Are there more details? Specifically, does "hop-by-hop > >>> encryption using SSL/TLS" require strong association between a > >>> domain name and an XML stream as described in > >>> draft-ietf-xmpp-dna-04? > >> > >> We, as a community, need to figure out what we can do. > >> > >> Realistically, I think we need to prefer authenticated encryption > >> via PKI, POSH, or DNSSEC/DANE and fall back to opportunistic > >> encryption via TLS + dialback. > > > > So, the presumption is that servers which aren't capable of at > > least TLS+dialback will be cut off? > > Yes. > > Now, this is a proposal, not an ultimatum. We, as a community, need to > come to a decision about whether this is a reasonable course of > action. However, I do think we owe it to the users of our services to > provide a higher level of security. > > Also, if phrased right, we could say that the Good Servers talk with each other securely, but they may also have exceptions to deal with legacy services which do not yet perform full security. Dave.
