The Server Club

2005-04-20

I've been thinking about the desirability of building something like web of trust among admins of servers on the open Jabber/XMPP network.

Let's think about the goal. To me, the goal is to strengthen trust in the network of open Jabber servers. One part of that is SSL/TLS for server-to-server connections. I really don't care if people use self-signed certificates for TLS, as long as there is a way to check with other servers on the network the first time. For example, let's says that a new server jabber.belnet.be connects to amessage.info; it would be nice if Matthias (admin of amessage.info) could check with jabber.org to see if we think that is a good server or not.

Another part of strengthening the network is improving communication among server admins. For example, I would like to run a special mailing list for people who administer open Jabber servers so that we can discuss issues, debug problems, etc.

I'd also like to make it a bit harder to get on the list of open servers, so that end users can have some confidence that if a server is on the list then the server is fairly trustworthy. Of course someone could run their own server or use a server that is not on the list, but the servers on the list are special -- like a club that you have to join or something. Then we can build trust within that club, without saying that other servers are bad.

There are many aspects to this trust. It is much more than having a stupid cert! For example, I trust Matthias because I have met him in person and I know him from conversations via email and IM over many years. So I transfer some of that trust to his amessage.* domains. But trust could also come from seeing the traffic that originates from a domain, whether that server is well-behaved, how often it is down, whether it has a server status page, how quickly the admin responds, etc.

I don't know yet whether it makes sense to form this kind of "server club". But we could try it out, could see how it works and then eventually try to formalize some of our processes by writing a web-of-trust protocol for XMPP servers. But I think the protocols can't be developed until after we have some social experience in this area.


Peter Saint-Andre > Journal