jdev - 2020-03-02

  1. Link Mauve

    defanor, the certificate should be valid for the JID’s domain, if there is no other trust chain.

  2. Link Mauve

    Because otherwise someone who can poison your DNS could point your-domain.example to evil.com and trivially obtain a certificate for evil.com.

  3. defanor

    Indeed. Thanks.

  4. Link Mauve

    Another trust chain in wide use is DNSSEC, if you sign the SRV record as well as a TLSA on the target domain, a client can use it.

  5. jonas’

    (I’m not sure any client does, though)

  6. Ge0rG

    for certain, not widely used values of "wide use"

  7. Zash

    I think Conversations does

  8. moparisthebest

    All clients *should* though

  9. jonas’

    I’ve got questions

  10. jonas’

    (wrong window)