Re: [xmpp] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-03.txt
Philipp Hancke <fippo@goodadvice.pages.de> Wed, 13 February 2013 14:50 UTC
Return-Path: <fippo@goodadvice.pages.de>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B02021F85BD for <xmpp@ietfa.amsl.com>; Wed, 13 Feb 2013 06:50:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id du84kqcObCwY for <xmpp@ietfa.amsl.com>; Wed, 13 Feb 2013 06:50:54 -0800 (PST)
Received: from lo.psyced.org (lost.IN.psyced.org [188.40.42.221]) by ietfa.amsl.com (Postfix) with ESMTP id 77BCC21F8778 for <xmpp@ietf.org>; Wed, 13 Feb 2013 06:50:52 -0800 (PST)
Received: from lo.psyced.org (localhost [127.0.0.1]) by lo.psyced.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id r1DEobYp003693 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 13 Feb 2013 15:50:37 +0100
Received: from localhost (fippo@localhost) by lo.psyced.org (8.14.3/8.14.3/Submit) with ESMTP id r1DEob5B003689; Wed, 13 Feb 2013 15:50:37 +0100
X-Authentication-Warning: lo.psyced.org: fippo owned process doing -bs
Date: Wed, 13 Feb 2013 15:50:37 +0100
From: Philipp Hancke <fippo@goodadvice.pages.de>
X-X-Sender: fippo@lo.psyced.org
To: Simon Tennant <simon@buddycloud.com>
In-Reply-To: <CACEE+iPix6zGpFDC0KAOyR+33_2wdzPtyiFTDn7di7-T6vZKqw@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1302131510250.2647@lo.psyced.org>
References: <20130110184432.5134.57184.idtracker@ietfa.amsl.com> <50EF71A4.1050606@stpeter.im> <CACEE+iPix6zGpFDC0KAOyR+33_2wdzPtyiFTDn7di7-T6vZKqw@mail.gmail.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="683466026-262484210-1360767037=:2647"
Cc: XMPP Working Group <xmpp@ietf.org>, Florian Jensen <florian@florianjensen.com>
Subject: Re: [xmpp] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-03.txt
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 14:50:57 -0000
> I've been chatting with Florian about this the two standards for proving ownership in the case of a delegating domain hosting. > > Some background: Florian hosts many XMPP domains and at buddycloud, we're putting plans in place to host XMPP domains. In both cases, the more we have to ask customers to configure on their end, the less chance there is of a successful deployment. > > Right now this is: > a) customer edits their DNS and point it at our servers. Nothing else. No security at all, right? (other than server dialback) > I have huge concerns about expecting customers to provide proofs at the web layer. Especially something that runs on their "main" website. Some reasons off the top of my head: > a) Messaging team is different to web team - slow or no deployment. > b) no website hosted on their domain - do we now host web stuff too? Well, then the POSH proof type (or an equivalent integrated into draft-daboo-aggregated-service-discovery) can not be used by another xmpp server to discover the certificate for that domain. > c) their website is created or hosted by their marketing agency / some other less technical. A simple website push could overwrite their .well-known record could kill their messaging service. hosting providers will have to protect .well-known. > d) it's complicated. > > DNSSEC is being rolled out. Sure some registrar and TLDs will take longer to deploy, but in the long term, I think this is the right way to have customers (especially non-technical customers who would rather delegate hosting) delegate their hosting. Then deploy DNSSEC. Smart servers will (might) try that first and gradually fall back to POSH (or equivalent) and may resort to dial-back as a "who cares about security as long as it works" method.
- [xmpp] Fwd: I-D Action: draft-miller-xmpp-dnssec-… Peter Saint-Andre
- Re: [xmpp] Fwd: I-D Action: draft-miller-xmpp-dns… Simon Tennant
- Re: [xmpp] Fwd: I-D Action: draft-miller-xmpp-dns… Philipp Hancke
- [xmpp] Questions on POSH (WAS: Fwd: I-D Action: d… Matt Miller (mamille2)
- Re: [xmpp] Questions on POSH (WAS: Fwd: I-D Actio… Peter Saint-Andre
- Re: [xmpp] I-D Action: draft-miller-xmpp-dnssec-p… Florian Jensen
- Re: [xmpp] Questions on POSH (WAS: Fwd: I-D Actio… Florian Jensen