SSL certificates / private CAs / CACert issue

Thu Dec 13 11:34:27 EST 2012

Hi all (sorry for such wide conference, but I am sure it will be valuable),
hope that there are many experienced admins/developers on these lists 
and many of you probably running certificates signed by your own CA on 
your Jabber servers too.
After some experiences during last months I feel it would be great to 
discuss the use of certificates signed by 'non-public' CA on the public 
services.
We already had some 'excessive' discussion about it with Peter 
Saint-Andre this year and didn't 'solve' it. The only outcome of it was 
that the Jabber.sk service is still not listed in the list of public 
services and the only reason is that it's using certificate signed by 
our internal CA. I did accept that and gave Peter more time to think 
about it as it doesn't harm our service at all.
Nevertheless I just discovered that Google started to reject retrieval 
of emails from the POP3s and IMAPs servers which use the certificates 
from non-public CAs [1]. Unfortunately they didn't provide the list of 
CAs they accept (just mentioned Mozilla foundation's list) and still 
allow to retrieve these emails by not-secured POP3/IMAP channels and 
propose it as an workaround. It is probably planned and has to do 
something with the new rules of Google Apps, which are not for free 
anymore. But this has nothing with XMPP.
The second issue I was fighting with (and not only once) is that 
OpenFire jabber server doesn't accept message retrieval over s2s 
connection with the jabber server using the certificate signed by 
'non-public' CA by default. Hopefully there is a chance to change this 
behavior.
Now let me fall into the situation with SSL certificates in the XMPP 
world in more details.
Just some months before (and it looks like that also these times) the 
CACert wasn't recognised as an publicly trusted CA by Mozilla foundation 
[2] (Opera and many more too) because they didn't pass their auditing. 
But at those times almost all of the jabber servers and clients already 
accepted certificates signed by them as 'secure'. Looks like that XMPP 
foundation proposal to use CACert as one of the possible CAs was the 
only argument for acceptance. The developers of jabber software usually 
do not take care about any security requirements which the CA has to 
pass before it will be added to the list of 'secure' public CAs they do 
recognise. I just checked more support requests for Gajim [3,4] and 
other jabber clients with requests to add CACert or other CA into the 
list of accepted CAs and nobody of the developers asked or checked the 
state of the CA and the issue the CA has with this process in other 
projects or at least didn't mentioned that in the support requests.
I think that this restriction of use only publicly acceptable CAs for 
SSL/TLS communication is not correct in general and should not be 
enforced by Google, XMPP foundation or OpenFire or anybody else. The 
possible solution for this situation in XMPP world could be to provide 
the list of acceptable and secure CAs by XMPP foundation directly. It 
could maintain and provide this list for all XMPP developers. As a part 
of this solution there should be defined the process with clear 
requirements to CA willing to be added to this list.
I will accept that the jabber.sk is not added to the list of public 
services just after this will be addressed and there will be some clear 
statement made by XMPP foundation and/or the public XMPP service list 
maintainers.
As another argument for advocating of the private CAs to be accepted on 
XMPP servers I would remind you that XMPP network is presented as free 
and open and we should take care of not stealing it's openness and freedom.
I would like to give a chance to run any XMPP server with certificates 
signed by their private CA without any messages rejection. Of course 
there is nothing what doesn't allow me to request the sign of my 
certificate by CACert or other CA and probably pay some price for it. 
This is just my choice and I am asking if XMPP 'world' is ready and able 
to accept that as I do not see any advantage of publicly accepted CAs in 
XMPP network at this time.
There is also other possibility to limit such issues with not accepted 
connections due to certificate rejections - ask developers of all 
mainstream XMPP software (server and client) to add CA into their lists. 
But I do not find it as an appropriate and correct solution and would 
like to open wide discussion about it instead.

Appreciate all meaningful posts in advance. (sorry for my English)

[1] 
http://support.google.com/mail/bin/answer.py?hl=en&hlrm=en&ctx=gmail&answer=21291#strictSSL
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158
[3] https://trac.gajim.org/ticket/3329
[4] https://trac.gajim.org/ticket/5569

Best regards,
--
Peter Viskup
admin of one small public jabber.sk