XMPP Service Operators - 2026-03-03

  1. tom

    > I've also heard reports indicating that chatterboxtown.us is rejecting new Let's Encrypt certificates. I am making my own certificate authority in response to google being able to control letsencrypt

  2. tom

    Using it between friends for TLS and ipsec transit mode, but I'm not sure if anyone here would be willing to install it even with it being namespace scoped

  3. freespoken.nz

    OK, I've now reported this at xmpp:support@muc.5222.de?join

  4. agh

    >> I've also heard reports indicating that chatterboxtown.us is rejecting new Let's Encrypt certificates. > > I am making my own certificate authority in response to google being able to control letsencrypt How expensive is that? Or you talking self-signed CA certs?

  5. Guus

    I'm not sure there's much practical difference: running your own certificate authority means creating a self-signed certificate used to sign others, while using a self-signed certificate directly just uses that single certificate. In either case, you still have to convince peers to trust your chain: either the self-signed end-entity certificate or the self-signed root certificate.

  6. agh

    I have no idea what Tom meant. I was thinking they were talking about buying their place in the internet CA Cartel with their own business unit.

  7. agh

    That way, your signed entity would end up with all the CA's in your OS.

  8. agh

    That way, your signed entity would end up with all the other CA's in your OS.

  9. MattJ

    That's the thing Google/Mozilla have control over though

  10. MattJ

    An XMPP CA ecosystem separate from the browser one is certainly not out of the question. In fact XMPP.net began life as a CA for XMPP servers.

  11. agh

    Interesting.

  12. MattJ

    But it's not a small task, to do it at scale securely

  13. agh

    > That's the thing Google/Mozilla have control over though Which is why they are against DANE.

  14. moparisthebest

    wait what? Google has no control over DANE

  15. agh

    Only on adoption of it, I think.

  16. agh

    Did they not bail out on supporting DNSSEC or DANE in their platforms 12 or so years ago?

  17. agh

    My memory is fucked, but I recall a time when Google was supporting DNSSEC somewhere, maybe even in their browser, then they removed it.

  18. agh

    And you know, that DANE requires DNSSEC.

  19. moparisthebest

    god if we have to hate things google has changed their mind on that's literally everything

  20. agh

    OK true

  21. agh

    But what control does Google have on DANE?

  22. agh

    Apart from no longer implementing DNSSEC validation in the browser?

  23. agh

    And obviously Let's Encrypt was a massive diversionn

  24. agh

    And obviously Let's Encrypt was a massive diversion.

  25. icebound.dev

    tom, you are better off using DANE.

  26. freespoken.nz

    > An XMPP CA ecosystem separate from the browser one is certainly not out of the question. In fact XMPP.net began life as a CA for XMPP servers. Wouldn't it be better to encourage adoption of DANE for authentication instead?

  27. moparisthebest

    yep, and until then LE works fine