[standards-jig] new security JEP

Mike Lin mlin at mlin.net
Wed May 8 18:58:58 CDT 2002


Here are some comments I have - 

XMLDSIG, XMLENC, and XKMS are becoming pretty coherent standards, and I
wonder why we should follow a Standards Track process for a homegrown
protocol rather than adopt these. I don't mean to be shooting this down,
but I would appreciate additional commentary by the author on how this
protocol can achieve "closer alignment" with these imminent standards. 

3.3.4 Specifies that cryptographic operations over character strings
must be carried out over the UTF-16 encoding of the string. I am curious
why UTF-16 and not UTF-8. We generally handle strings as UTF-8
currently. UTF-8 frees us from some byte ordering concerns and are more
efficient to store. Cryptographically, a UTF-8 string tends to have more
entropy than an equivalent UTF-16 string. Finally, it would just make my
life easier to use UTF-8. 

These points aside, the protocol thusfar is well thought out and
elegantly designed, accompanied with lucid commentary and clear
explanation. My complements to the author. 

-Mike 



On Wed, 2002-05-08 at 19:35, Peter Saint-Andre wrote: 
> I've just published a JEP I received yesterday regarding Jabber security.
> You can review it here:
> 
> http://www.jabber.org/jeps/jep-0031.html
> 
> Peter
> 
> --
> Peter Saint-Andre
> email+jabber: stpeter at jabber.org
> weblog: http://www.saint-andre.com/blog/
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 





More information about the Standards-JIG mailing list