On 09/03/2015 12:19 PM, Peter Viskup wrote: > we know there still are issues with CA-signed and self-signed > certificates. Self-signed certificate was the main reason for not > accepting our server into the list of public XMPP server. > From my perspective it would be great to implement XEP similar to > Convergence [1]. That could solve at least some of the issues with > certificates we have at the moment. On the end the CA-trust-lists would > be removed from the clients and servers would be able to check the > validity of certificates for s2s connections.
DANE would solve this problem. And since it is DNS based it would be easy to implement. https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
signature.asc
Description: OpenPGP digital signature
