[jdev] Hosting issues

Steven Peterson stevenpete at gmail.com
Thu Sep 15 01:02:13 CDT 2005 

I am considering building a Jabber hosting service where users can
have accounts under their own domain names. It's kind of like
Dreamhost's Jabber service, except that my service will not have web
hosting or email :-).

The XMPP spec does not accommodate some of the things that I'd like to
do. At least I don't think that it does.  I've listed the issues below
and would like to get feedback.

1) DNS and s2s

My users' domain name will most likely resolve to a web host and not
to my service.
The authors of the XMPP spec anticipated this scenario by specifying
the use of SRV records to find the XMPP server for a domain. That's
all fine and dandy, except that I have not seen a DNS host that allows
a user to specify an SRV record.

Do any popular DNS hosts support SRV records? If so, I can direct my
users to these hosts.

Some web browsers try "www.domain" if they browser cannot find a web
server at "domain".  Do Jabber severs do something similar? This will
help me out because most DNS hosts allow users to specify sub domains.

2) TLS and s2s

My users will not have certs for their domains, and even if they did,
I wouldn't want to be responsible for keeping their private keys
secret.  TLS is not an option for my service.

Server dialback will work for my service, but the XMPP spec says that
dialback is documented for backward-compatiblity only. Is dialback
disappearing, or is it still in active use? I know the open source
servers support dialback.

3) TLS and c2s

Even if I cannot use TLS for s2s, I would still like to use TLS for
c2s. This will hide rosters and other sensitive data from snooping
neighbors at wireless hotspots.

The XMPP specification says that the name in the cert should match
domain part of the user's id. This is a problem because I will not
have the cert for my users' domains as mentioned above.

Most client applications allow the user to specify the server
separately from their user id. The ideal thing for my service is for
client applications to verify the cert using the server name instead
of the domain part of the user's id. That way, I only need my own cert
and private key.

I've done some experimentation and found that client applications do
what the spec suggests if the client application does any verification
at all. Fortunately, the applications let the user through after a
warning.

I'd like to avoid the warning. Any thoughts on how to proceed?


Thank you for any help that you can give me. Also, if there are other
Jabber hosting services out there, I'd appreciate any pointers. I'd
like to learn from examples.

More information about the JDev mailing list