POSH (PKIX over Secure HTTP, RFC 7711) support

[FriedrichAltheide]

^{Originally posted by jeifour February 23, 2022} As the template for feature requests seems to be not in working order, I decided to open this discussion thread instead. Hope that's fine.

I know your stance regarding a user's ability to disable certificate verification. I've also seen that some people struggle with setting up valid certificates (#406 / #497) on their XMPP servers. Personally, I especially resonated with this comment:

Giving a chat server a certificate for the bare domain seems like it is exceeding the authority it should be given. A vulnerability here would be more significant.

Clients like Conversations/Gajim also implement RFC 7711 which would make it unnecessary for the XMPP server to hold the private keys to your trusted certificate. It seems like a convenient feature that could even make certain deployments more secure. Interested in any comments :)

[FriedrichAltheide]

We had an internal discussion regarding RFC7711 a few weeks ago. We might implement it in the long term. I think that RFC7711 is mainly an enterprise feature, but correct me if I am wrong.

[FriedrichAltheide]

@jeifour

[salixh5]

Thanks for the ping and for setting up the issue to discuss my feature request. I'm not aware if POSH is used mainly in the enterprise or not. But I think it could make running one's own chat server easier depending on the already existing infrastructure. It would've certainly helped me out.

[FriedrichAltheide]

We will be happy to review a PR, if someone wants to implement POSH into Monal