mass at akuma.org
Wed Apr 10 14:12:00 CDT 2002
Max Metral wrote:
>Right, but doesn't that essentially limit us to PGP? I understand this is
>informational, but it would seem to be one of those things that can be
>explained several ways, and I'd like to see it explained as if it was more
>flexible than the way it's being used today.
Actually, the replay issues I mentioned are only really solvable by
having some sort of key negotiation (which can be encrypted via pgp or
done via a dh key exchange); you want both parties to take part in
choosing a unique session key, or each receiving party to choose a key
to be used for data sent to it. Both the feature negotiation and key
negotiation will require a different protocol.
Actually, that brings up another interesting point - (since this is
informational) - is there any accepted client standards for figuring out
if the trust level of the remote entity is adequate for pgp encryption?
I suppose that is more of an identity question ; there isn't currently a
way to guarantee the identify of a user against man in the middle or
machine takeovers on Jabber, and this standard does not provide any
means to verify the identity of the other party (because of the replay
More information about the Council