[ejabberd] XMPP per-host certs

Peter Saint-Andre stpeter at stpeter.im
Sat Feb 9 03:03:25 MSK 2008


Brian Cully wrote:
> On 8-Feb-2008, at 17:43, Peter Saint-Andre wrote:
>> Some clients (iChat etc.) let you specify that the hostname handling a
>> gmail.com or googlemail.com (etc.) JID is "talk.google.com". Then when
>> you're presented with a certificate for talk.google.com, the client
>> considers that to be acceptable. I'll be modifying the  
>> specifications to
>> make it clear that this approach is one allowable authentication flow.
> 
> 	I assume this is true for SRV record lookup as well? 

As you might imagine, the IETF security mafia considers the results of
SRV lookups to be less than fully reliable, at least in the absence of
DNSSEC. Naturally, end users can be unreliable too (who convinced them
to input "talk.google.com" as acceptable for gmail.com?).

> All my certs  
> right now are self-signed, so I can't test this myself. 

You can obtain free digitial certificates at https://www.xmpp.net/

> I'd be curious  
> about experience w/ Psi, Adium, and iChat, if anyone happens to know.

Different clients handle certificates in different ways. Harmonizing the
user experience across clients sounds like a good goal for 2008 and beyond.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20080208/307322a8/attachment-0001.bin 


More information about the ejabberd mailing list