[JDEV] Dialback and STARTTLS

[Justin Karneges]

On Thursday 20 November 2003 11:39 pm, Matthias Wimmer wrote:
> Justin Karneges schrieb am 2003-11-20 16:46:46:
> > I hope you're not planning on using a cert-less TLS between servers. 
> > That would be a really bad precedent to set.
>
> There are not much servers with certificates signed by one of the big CAs -
> I know none. Therefore we still need dialback. But it would be nice
> for this connections to be at least protected against passive attacks by
> encrypting the stream.
>
> I agree that this is not how it should be ideally, but it wouldn't help
> XMPP/Jabber if we require each server to own a commercial certificate as
> we would loose most if not all free servers.

Yes, this is the unfortunate reality.

I have always wondered if maybe the JSF could act as an independent CA, to 
create free certs for everyone.  It would mean that servers (and clients too, 
I suppose) would have to bundle the JSF certificate, but this would not be a 
huge deal.

I'm not sure how the JSF would handle proper identification of those who 
apply..   Maybe it could just be a simple first-come first-serve thing, and 
if someone else gets a cert for your domain before you do, then you can ping 
stpeter to resolve the dispute. ;-)

But then maybe I'm asking for too much, considering jabber.org still has an 
invalid certificate. :P

-Justin