[jdev] Securing XMPP

Peter Saint-Andre stpeter at stpeter.im
Wed Aug 28 16:33:21 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/28/13 10:28 AM, Matthew Wild wrote:
> On 28 August 2013 17:14, Simon Tennant <simon at buddycloud.com>
> wrote:
>> I'm attempting to gather the details in one place on how to
>> secure XMPP servers C2S and S2S traffic:
>> 
>> http://wiki.xmpp.org/web/Securing_XMPP
> 
> Only feedback so far: you might want to clarify the "single 
> domain"/"multiple domain" thing - DANE is not a requirement for 
> securely hosting multiple domains on a single server. I think that 
> might confuse people.

It's a wiki. Feel free to edit. I plan to. :-)

But yes, you don't need DNSSEC to handle multiple domains. In fact if
you host just a few domains you could potentially get proper certs for
all of them. It's when you host a lot of domains that you need some
other solution. DANE/DNSSEC is great for that, or will be when it is
more generally available, but IMHO we might need to wait *years* for
that to happen. Thus the work we've been doing on POSH as an interim
solution:

http://datatracker.ietf.org/doc/draft-miller-posh/

See also the domain name associations spec:

http://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/

Matt Miller and I plan to update both of those by the end of next week.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSHiZRAAoJEOoGpJErxa2pK5UP+QG+VxXvRVAVTWyBwlQ3vTXw
Ulp2N4i2HBOiN0zuAfoy1SfjXaOxkpg7mWD7IQaPzUvZx/5Cup2HJ6k1D3B5I5SJ
7l+pXRdZXBtu5+SCa4USm9bC4rJyXVvPdIS82itcaSUEgGPOrPBusffTEQIGfw/n
vHRixNtLIM50C3WV1sLYkY6wMGA1BdEP4qbjmaXF0A7viy9cSMFc5lVIBKlOAeEb
7lD2m9jhU/e1rFtiGISmGGawk9hpjMUfehcI8WmvrUvIt6b6WgC8XZRePXB7S56k
z7mL/4CKr++Fe0VCKf97LMWuQPVSKd4O0XzmRqErh8X71xZpTDlCeeKv3b7BuyE8
d9wNVwt7GWznrI3R2SgXNYGyOz/kubtsuihDp0tBsE2Tk58kb+MwikpPgDjahTkp
fGeM+IbBsOrgvYRI12utvBDKEIpmzYsjAphOuvug0GCtXrvGd2Qvfx+oiXM8keLp
V5FD81tkyIaahKuqWT6RfOkcbVX5QqzxLoZ4gB7GbyL1L+2lDDam2+glcud/vs96
3fQdeJOCpXjMVgtxqQc0OPoKYvfvHUz3I8cLyfDwQVGNHTaGIndYuuVHO+Q15RFw
2xMXnP7s2FE+VDf6OmxBr78daScB0if6Jc9jJeXwa7yfwjxfFVK6vzjS9s4BDlUA
K7qoLp1c/SWWVZryUYkk
=l5mH
-----END PGP SIGNATURE-----

More information about the JDev mailing list