[jdev] Re: TLS and self-signed certs
Peter Saint-Andre
stpeter at jabber.org
Thu Nov 11 18:53:30 CST 2004
In article
<8CDC3525190B624F8F740435C7B9A01D59A2 at heineken.winfessor.com>,
"JD Conley" <jconley at winfessor.com> wrote:
> Allowing self signed (or otherwise untrusted) certs with STARTTLS +
> EXTERNAL is opening yourself up for a serious security breach.
Well, that's another story. But that claim on the URL I provided was
that it is technically impossible, not inadvisable from a security
standpoint.
> Using it
> with stream:features over dialback would give you encryption with a self
> signed cert and trust through the DNS system. STARTTLS + Dialback
> offers some level of trust along with encryption without having to worry
> about the complexities of a certificate chain.
Sure. Another possibility is (1) settling on a root CA or (2) becoming a
root CA.
/psa
More information about the JDev
mailing list