[jdev] manifesto & DANE does not cut it

Peter Saint-Andre stpeter at stpeter.im
Tue Nov 19 16:25:01 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/19/13 9:21 AM, Ralf Skyper Kaiser wrote:
> 
> On Tue, Nov 19, 2013 at 2:12 PM, Ashley Ward
> <ashley.ward at surevine.com <mailto:ashley.ward at surevine.com>>
> wrote:
> 
> On 19 Nov 2013, at 12:30, Ralf Skyper Kaiser <skyper at thc.org 
> <mailto:skyper at thc.org>> wrote:
>> Pinning does not require any protocol change in its simplest
>> form.
> It can be done with just minor changes on the client side.
> 
> Agreed - in its simplest form you could use it on the c2s
> connection to ensure the server?s certificate hasn?t unexpectedly
> changed and there?s nothing to stop xmpp clients implementing it.
> 
> 
> It would be nice to have this as an optional item in the manifesto 
> (either Pinning-light or full pinning) so that it is on the
> roadmap.
> 
> 
> But this is only a small part of it. XMPP is federated, so how
> does a user ensure that the ongoing s2s connection isn?t
> compromised?
> 
> 
> I agree. But just because we do not have a solution for every
> security problems shall we not stop developing a solution for any
> security problem.
> 
> [...]
> 
> I think we also need to be careful not to downplay DNSSEC and DANE 
> too. They are infinitely better than most of what?s happening
> today, so saying things like "DANE does not cut it? could be
> disingenuous and may deter people from implementing anything
> because it?s not ?perfect?.
> 
> 
> I agree. DANE is an important step into the right direction.

And progress is being made (with many thanks to Thijs for the code
running at the IM Observatory!):

http://xmpp.net/reports.php#dnssecsrv

BTW, I have not read this thread because I am ultra-busy with work at
my day job. I hope to catch up later this week.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSi5DdAAoJEOoGpJErxa2pC8MP/1m6i/xojNVy0YEagVtiLLX2
HF23BwoPiN2cqbC4pDPaTAla6wvAR7YHNWyqbIjhjlwu0iOJ1fNNzMRNqM0p8ydM
jnKog+X1PcnlZL9/E2mnVibtgHg2s2NqVy75eVzzAlWNShsv5UnUccwiXyi4SilS
Gy3F7CtNzg0zljxFKsamaQFSRpdvnGLEPKk1JxkI8ZeB0u4+DnB4ANS5gSWrzNCJ
a8r0dRr5AMYIKMGi3dwpwazkbOw7eUxIHTYnQMgNO3m7UOAgBpAh218ffqPAZXti
hN6oBR1UikaWTyeAxTtomEDpSgSNiJ9dtfPJLzzCnd1LIrjiNG8ouTRP2kkfmhY7
k6Ol5BtAWJ6fQYGR7RmFdNMfYTp9n7Kfh5kqldNosmAu7Dx7LpbCCQrHNAkV/HPI
xI3M2KaaWjeZ6xNX+zLU4VdU/L6afjf7JIgfZT8r+RX8IKNBO04+nU9Xga4ox12b
PRPcXuymFn8DZwZz5tqgkfN2PsqM7J2+uKy+GlL3Ft+TGAMGjYSM1p6ZH5TH3QSf
wjqbiKlTtGYMHvYUL/kTMwVsyLAPMNawRKL/9a7qsvhqmF5sXR16OPSYS2jFi6Iu
bhs0iD7ThGQ4QMoI+wHoao5bymU64R+ajeU6NboobyvM0XktswFnez9z91bxadUp
XhD+bq3ZXqjeaftVYKpI
=jDK/
-----END PGP SIGNATURE-----

More information about the JDev mailing list