On Thu, May 23, 2013 at 10:37 AM, Matthew Wild <[email protected]> wrote:
> The advantages are less clear for XMPP. We already know if the other > end supports encryption or not. However rarely is certificate > authentication strongly enforced on the general network, for reasons > we already well know. > > I wondered if a flag in stream negotiation could be used to inform the > connecting party that the server intends to always have a valid > certificate, and certificate authentication should be enforced for > that domain. > It might be interesting to try offering DANE-like information over XMPP. So one might say "I have a signed certificate from CA XYZ", or "All my XMPP endpoints for this domain use this certificate", along with a time-to-live. There's still something of a leap-of-faith involved, but it would reduce the window of opportunity for a compromised CA, and increase the utility of self-signed certificates (or CAs that are not TAs; such as private CAs). Dave.
