Matt Tucker

Better Security With XMPP

Blog Post created by Matt Tucker Champion on Dec 17, 2006

Peter St. Andre recently blogged about the Jabber Software Foundation becoming an intermediate certificate authority. In his words:

"What: The ICA enables us to easily and cheaply issue real, RFC3920-aware digital certificates to administrators of Jabber servers http://....
Why: Easily obtainable digital certificates will result in more widespread use of channel encryption among servers and between users and servers, which will make the Jabber network even more safe and secure than it already is."

What's a standards organization doing handing out digital certificates? I don't think Peter is taking enough credit for the vision behind this move. The JSF is attempting something revolutionary: bringing strong security to an open internet-wide protocol. Let's look at the sad state of email security to see why this is important. The global email network is riddled with SPAM -- nine out of ten messages are junk. Email security and encryption technologies like PGP and S/MIME have never taken off, which means that for the vast majority of email, there's no way to know for sure who sent it or to encrypt it. Every user knows to only enter their credit card info on web pages with "https://" in the URL, so how come we accept virtually no security in email? The public IM networks like AOL, MSN and Yahoo are just bad given their own lack encryption support.

 

Providing free certificates is another layer of the XMPP security story and helps make security both easy and ubiquitous. It also shows a commitment by the JSF to not just create protocols, but to see them become widely adopted. The Jabber/XMPP community has always done things a bit differently than other standards organizations. We create standards using an open rather than closed process and use Open Source code to help foster interoperability. The JSF becoming an ICA is another example of doing things in a different and better way.

 

Of course, we're supporting the ICA efforts in Wildfire by doing everything we can to make certificate management as easy as possible. See Gato's latest blog entry for more.

 

Outcomes