[jdev] TLS and self-signed certs
JD Conley
jconley at winfessor.com
Thu Nov 11 18:49:10 CST 2004
Allowing self signed (or otherwise untrusted) certs with STARTTLS +
EXTERNAL is opening yourself up for a serious security breach. Using it
with stream:features over dialback would give you encryption with a self
signed cert and trust through the DNS system. STARTTLS + Dialback
offers some level of trust along with encryption without having to worry
about the complexities of a certificate chain.
So, I agree, with both of you. :) We have implemented STARTTLS +
EXTERNAL for S2S in SoapBox Server and allow administrators to choose
the level of trust they require. I assume if the community gets behind
it we'll implement STARTTLS + dialback as well.
JD
> -----Original Message-----
> From: Peter Saint-Andre [mailto:stpeter at jabber.org]
> Sent: Thursday, November 11, 2004 4:05 PM
> To: jdev at jabber.org
> Subject: [jdev] TLS and self-signed certs
>
> http://web.amessage.info/news/article/2981 asserts that one cannot use
> self-signed certs with TLS for securing XMPP streams. I don't think
> that's true, since we took that into account when writing RFC3920.
>
> Also, I am working with the folks from CAcert.org on building
JabberIDs
> (for any kind of Jabber entity) into CAcert-issued certificates.
>
> Peter
More information about the JDev
mailing list