[Council] JEP-0027

Peter Saint-Andre stpeter at jabber.org
Wed Apr 10 15:18:44 CDT 2002


Sounds great. I agree that we need to focus on XES as a more robust
solution. The whole PGP/GPG thing was just a stopgap anyway, so let's
document it (informational) and move on to something better. :)

Peter

--
Peter Saint-Andre
email+jabber: stpeter at jabber.org
weblog: http://www.saint-andre.com/blog/

On 10 Apr 2002, Thomas Muldowney wrote:

> Just as a note I asked DW to do this.  I felt his previous comments
> warranted fixing.
> 
> Max, this does limit us to PGP, and that's because that was it's
> intention and it's current usage.  I'm currently drafting my thoughts on
> XES in a JEP form to further discussion, and I believe all efforts
> should be focussed on that rather than rehashing an old and inferior
> system =)
> 
> I'll repost tonight or early tomorrow and see what everyone thinks.
> 
> --temas
> 
> 
> On Wed, 2002-04-10 at 14:59, David Waite wrote:
> > (replying to myself)
> > I am changing my vote to -1, pending the changes I outlined earlier.
> > 
> > -David Waite
> > 
> > David Waite wrote:
> > 
> > > Max Metral wrote:
> > >
> > >> Right, but doesn't that essentially limit us to PGP?  I understand 
> > >> this is
> > >> informational, but it would seem to be one of those things that can be
> > >> explained several ways, and I'd like to see it explained as if it was 
> > >> more
> > >> flexible than the way it's being used today.
> > >>
> > > Actually, the replay issues I mentioned are only really solvable by 
> > > having some sort of key negotiation (which can be encrypted via pgp or 
> > > done via a dh key exchange); you want both parties to take part in 
> > > choosing a unique session key, or each receiving party to choose a key 
> > > to be used for data sent to it. Both the feature negotiation  and key 
> > > negotiation will require a different protocol.
> > >
> > > Actually, that brings up another interesting point - (since this is 
> > > informational) - is there any accepted client standards for figuring 
> > > out if the trust level of the remote entity is adequate for pgp 
> > > encryption? I suppose that is more of an identity question ; there 
> > > isn't currently a way to guarantee the identify of a user against man 
> > > in the middle or machine takeovers on Jabber, and this standard does 
> > > not provide any means to verify the identity of the other party 
> > > (because of the replay issues.)
> > >
> > > -David Waite
> > >
> > >
> > >
> > > _______________________________________________
> > > Council mailing list
> > > Council at jabber.org
> > > http://mailman.jabber.org/listinfo/council
> > 
> > 
> > 
> > 
> 
> 
> _______________________________________________
> Council mailing list
> Council at jabber.org
> http://mailman.jabber.org/listinfo/council
> 




More information about the Council mailing list