Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

41 lines (37 sloc) 2.789 kb
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<title>Verifying a Public XMPP Service</title>
<!--#include virtual="/includes/head.txt" -->
<h2>Verifying a Public XMPP Service</h2>
<p>When someone <a href='register.shtml'>registers</a> an XMPP service with us, here is how we verify the registration...</p>
<ol>
<li>
<p>Ensure that the request is approved by one of the official representatives for the <em>root</em> domain by forwarding the message sent on the <a href='http://mail.jabber.org/mailman/listinfo/operators'>operators@xmpp.org list</a> to (1) the email address(es) listed in the whois record for the root domain and (2) the hostmaster/postmaster/webmaster email addresses for the root domain. (By "root domain" we mean the lowest-level domain that can be looked up in whois -- e.g., if the XMPP service is running at im.example.com then we contact the owners and admins for example.com.)</p>
<p>Typically the message we send includes a unique identifier for tracking purposes and says something like this:</p>
<blockquote><p>"Please affirm that you approve of the following request to add the im.example.com service to the list at http://xmpp.org/services/ ..."</p></blockquote>
</li>
<li>
<p>Check for appropriate DNS SRV records using the dig command, such as:</p>
<blockquote><p>dig +short -t SRV _xmpp-client._tcp.im.example.com</p>
<p>dig +short -t SRV _xmpp-server._tcp.im.example.com</p></blockquote>
</li>
<li>
<p>Verify that there is indeed an XMPP service running at the domain for server-to-server and client-to-server communications using telnet to the ports discovered via SRV lookups, such as:</p>
<blockquote><p>telnet im.example.com 5222</p>
<p>telnet im.example.com 5269</p></blockquote>
<p>We also probe the legacy SSL-only port 5223, because we check that in the next step:</p>
<blockquote><p>telnet im.example.com 5223</p></blockquote>
<li>
<p>Validate the certificate against the root cert of the security provider to make sure that secure connections can be established without errors. We do this by checking port 5223 using the OpenSSL s_client feature, such as:</p>
<blockquote><p>openssl s_client -connect im.example.com:5223 -CAfile startcom.crt</p></blockquote>
<p>This check also helps to ensure backward-compatibility with clients that cannot yet support STARTTLS.</li>
</li>
<li>
<p>Visit the website of the service to make sure that it is accurate, provides contact information, etc.</p>
</li>
<li>
<p>Communicate with the service administrator via XMPP.</p>
</li>
</ol>
<!--#include virtual="/includes/foot.txt" -->
Jump to Line
Something went wrong with that request. Please try again.