[Standards] Any protocol to request encrypted connections?
Ian Paterson
ian.paterson at clientside.co.uk
Mon Feb 5 15:43:21 CST 2007
Matthias Wimmer wrote:
> Especially if I am not able to do e2e. E.g. because the destination's
> server does not want to allow e2e encryption because it has to log all
> exchanged messages, because the message is passing a gateway and we
> already start to forget RFC 3923, or just because the client is
> connecting using a web-based interface.
Yes, you're right. (although Web clients will do full-strength e2e)
The 'security' field in XEP-0155 allows the sender (or receiver) to
specify that both clients must be securely connected to their servers.
But something like XEP-0079 will be necessary for s2s... unless we
specify in RFC3920bis that servers MUST use SASL-TLS for all s2s
connections!
> With the web-based interface the user cannot do e2e encryption without
> giving away his keys...
The client can either accept or generate a key pair and then
symmetrically encrypt the private key with a hash of (one of) the user's
password(s). (The server doesn't have the password because that is not
necessary with SASL.) The encrypted private key is then stored with the
user's private data on the server. Unfortunately the user still has to
trust that her Web server hasn't been compromised - since she downloads
her client from that server every time (using TLS).
- Ian
More information about the Standards
mailing list