[Council] JEP-0027

David Waite mass at akuma.org
Wed Apr 10 14:59:57 CDT 2002


(replying to myself)
I am changing my vote to -1, pending the changes I outlined earlier.

-David Waite

David Waite wrote:

> Max Metral wrote:
>
>> Right, but doesn't that essentially limit us to PGP?  I understand 
>> this is
>> informational, but it would seem to be one of those things that can be
>> explained several ways, and I'd like to see it explained as if it was 
>> more
>> flexible than the way it's being used today.
>>
> Actually, the replay issues I mentioned are only really solvable by 
> having some sort of key negotiation (which can be encrypted via pgp or 
> done via a dh key exchange); you want both parties to take part in 
> choosing a unique session key, or each receiving party to choose a key 
> to be used for data sent to it. Both the feature negotiation  and key 
> negotiation will require a different protocol.
>
> Actually, that brings up another interesting point - (since this is 
> informational) - is there any accepted client standards for figuring 
> out if the trust level of the remote entity is adequate for pgp 
> encryption? I suppose that is more of an identity question ; there 
> isn't currently a way to guarantee the identify of a user against man 
> in the middle or machine takeovers on Jabber, and this standard does 
> not provide any means to verify the identity of the other party 
> (because of the replay issues.)
>
> -David Waite
>
>
>
> _______________________________________________
> Council mailing list
> Council at jabber.org
> http://mailman.jabber.org/listinfo/council







More information about the Council mailing list