[jdev] Hosting issues

Thu Sep 15 01:15:51 CDT 2005

В сообщении от Четверг 15 Сентябрь 2005 10:02 Steven Peterson написал(a):
> I am considering building a Jabber hosting service where users can
> have accounts under their own domain names. It's kind of like
> Dreamhost's Jabber service, except that my service will not have web
> hosting or email :-).
>
> The XMPP spec does not accommodate some of the things that I'd like to
> do. At least I don't think that it does.  I've listed the issues below
> and would like to get feedback.
>
> 1) DNS and s2s
>
> My users' domain name will most likely resolve to a web host and not
> to my service.
> The authors of the XMPP spec anticipated this scenario by specifying
> the use of SRV records to find the XMPP server for a domain. That's
> all fine and dandy, except that I have not seen a DNS host that allows
> a user to specify an SRV record.
>
> Do any popular DNS hosts support SRV records? If so, I can direct my
> users to these hosts.
>
> Some web browsers try "www.domain" if they browser cannot find a web
> server at "domain".  Do Jabber severs do something similar? This will
> help me out because most DNS hosts allow users to specify sub domains.
>
> 2) TLS and s2s
>
> My users will not have certs for their domains, and even if they did,
> I wouldn't want to be responsible for keeping their private keys
> secret.  TLS is not an option for my service.
>
> Server dialback will work for my service, but the XMPP spec says that
> dialback is documented for backward-compatiblity only. Is dialback
> disappearing, or is it still in active use? I know the open source
> servers support dialback.
Probably you'll be better off to provide a single key for all hosts than to 
not provide any key at all. That will give your users additional feature of 
being sure that their communications is protected.
You can make using your key a requirement for use TLS with your service, if 
you like. I think this applyies both for s2s and c2s.

> 3) TLS and c2s
>
> Even if I cannot use TLS for s2s, I would still like to use TLS for
> c2s. This will hide rosters and other sensitive data from snooping
> neighbors at wireless hotspots.
>
> The XMPP specification says that the name in the cert should match
> domain part of the user's id. This is a problem because I will not
> have the cert for my users' domains as mentioned above.
>
> Most client applications allow the user to specify the server
> separately from their user id. The ideal thing for my service is for
> client applications to verify the cert using the server name instead
> of the domain part of the user's id. That way, I only need my own cert
> and private key.
>
> I've done some experimentation and found that client applications do
> what the spec suggests if the client application does any verification
> at all. Fortunately, the applications let the user through after a
> warning.
>
> I'd like to avoid the warning. Any thoughts on how to proceed?
I do not know - may be key may be assigned to several host names?


> Thank you for any help that you can give me. Also, if there are other
> Jabber hosting services out there, I'd appreciate any pointers. I'd
> like to learn from examples.

-- 
Respectfully
Alexey Nezhdanov