annotate mod_s2s_keysize_policy/README.markdown @ 3656:3e0f4d727825

mod_vcard_muc: Add an alternative method of signaling avatar change When the avatar has been changed, a signal is sent that the room configuration has changed. Clients then do a disco#info query to find the SHA-1 of the new avatar. They can then fetch it as before, or not if they have it cached already. This is meant to be less disruptive than signaling via presence, which caused problems for some clients. If clients transition to the new method, the old one can eventually be removed. The namespace is made up while waiting for standardization. Otherwise it is very close to what's described in https://xmpp.org/extensions/inbox/muc-avatars.html
author Kim Alvefur <zash@zash.se>
date Sun, 25 Aug 2019 20:46:43 +0200
parents 101078d9cc27
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1895
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 ---
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 summary: Distrust servers with too small keys
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 ...
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 Introduction
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 ============
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 This module sets the security status of s2s connections to invalid if
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 their key is too small and their certificate was issued after 2014, per
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 CA/B Forum guidelines.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 Details
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 =======
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 Certificate Authorities were no longer allowed to issue certificates
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 with public keys smaller than 2048 bits (for RSA) after December 31
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 2013. This module was written to enforce this, as there were some CAs
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 that were slow to comply. As of 2015, it might not be very relevant
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 anymore, but still useful for anyone who wants to increase their
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 security levels.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 When a server is determined to have a "too small" key, this module sets
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 its chain and identity status to "invalid", so Prosody will treat it as
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 a self-signed certificate istead.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 "Too small"
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 -----------
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 The definition of "too small" is based on the key type and is taken from
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 [RFC 4492].
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 Type bits
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 ------ ------
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 RSA 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 DSA 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 DH 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 EC 233
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 Compatibility
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 =============
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 Works with Prosody 0.9 and later. Requires LuaSec with [support for
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 inspecting public keys](https://github.com/brunoos/luasec/pull/19).