Hi Pedro, [...]
2. XMPP host xmpp.other.isp then sends a XMPP domain stream activation request. It generates a random key, signs it with pessoa.lit certificate and encrypts it with saramago.lit certificate. Then it sends this request to xmpp.my.isp.
You have a valid certificate and private keys for all of the domains you're hosting? The request includes the pessoa.lit certificate? If not, how does saramago.lit obtain the certificate to check the signature in step 3? 'random' keys are usually bad (replay attacks). The key should be - in part - based on a challenge by xmpp.my.isp. Which makes this quite similar to how dialback keys are generated... if you replace the key validation part (4.3/4.4 in xep 220) with crypto instead of DNS mojo. philipp
