[Council] proto-JEP: Security JIG

Peter Saint-Andre stpeter at jabber.org
Wed Jul 21 09:57:50 CDT 2004


On Tue, Jul 20, 2004 at 01:21:52PM -0500, Thomas Muldowney wrote:
> 
> I'm wary if this needs a full JIG?  Every time we try this approach it 
> doesn't work well.  Is this going to end up being something that only 3 
> people are doing again?  Is there really enough devotion to it?  I'd 
> like to see some more along those lines before we go forward with 
> another JIG creation.  Just the scope scares me, it's ambitious, but 
> perhaps overreaching without a solid group to work at it, and for quite 
> a while.

A large number of people, some of them quite knowledgeable about
security, have volunteered to help, and I plan to recruit others as
necessary. Currently we are having security discussion on the JADMIN 
list (!) and in one-to-one chats, with no information sharing across 
the various conversations. IMHO we need to have one place where people 
can figure out the threat model and then a security model for XMPP, 
document their findings, and then let others define protocols that
address the identified threats. Something along these lines would be 
a good first step:

http://iang.org/ssl/browser_threat_model.html

The group that puts this together needs to be focused, disciplined,
motivated, and realistic. I think we have all the principles, processes,
and people in place (or suitably outlined) so that we can complete the
tasks defined in the proposal.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php



More information about the Council mailing list