-
Link Mauve
defanor, the certificate should be valid for the JID’s domain, if there is no other trust chain.
-
Link Mauve
Because otherwise someone who can poison your DNS could point your-domain.example to evil.com and trivially obtain a certificate for evil.com.
-
defanor
Indeed. Thanks.
-
Link Mauve
Another trust chain in wide use is DNSSEC, if you sign the SRV record as well as a TLSA on the target domain, a client can use it.
-
jonas’
(I’m not sure any client does, though)
-
Ge0rG
for certain, not widely used values of "wide use"
-
Zash
I think Conversations does
-
moparisthebest
All clients *should* though
-
jonas’
I’ve got questions✎ -
jonas’
(wrong window) ✏