Thomas D. Charron tcharron at my-deja.com
Mon Aug 9 17:10:36 CDT 1999

On Mon, 9 Aug 1999 16:05:57    Aaron Brady (insomnike) wrote:
>Really tho, storing privkeys on a server is a big no-no. It defeats the
>purpose of using it for authentication and encryption.
>this person are 'known' to be real, because the person has to auth
>with the server.
>If the server is compromised, then there is no reassurence a person
>is who they say they are.

  Yep.  Same with email..  Anyone can send as anyone if they know what they're doing..

>Therefore, people use digital signatures. You can trust a digsig
>from me if it's a) signed by someone you trust, and b) you believe
>I am the only person with access to it.

  Great, but forcing ALL USERS to use this is foolish..  Some people don't want the hassle..  That's why I'm for it as an option, but would say to require everyone carry around disks is just plain silly.  And how do I then have a Web based client?  I can't..

>If my privkey is stored on the server, locked by my Jabber password,
>then anyone who can get my password OR compromise the server, can 'be'
>me. This provides no more security than the password-only system,
>and requires considerably more work.

  Unless of course the mod_digisign module required additional passphrase that must be different from your password to enable it..

>I envisage a system, where only one of the Jabber users 'nicks' are
>crypto-enabled, it being the one that currently has the key. When
>a crypted message is sent (in the <ext> tags?) a plaintext message
>is sent to the non-crypto clients informing them that someone has
>sent a message they can't read. It would be nice, if perhaps
>user-unfriendly, to enforce the policy that only one crypto-enabled
>nick is active per user, as this is the only policy that truly
>guarantees security.

  Ok, I think I see where you're coming from..  I got the impression you really meant that everyone must carry a digital signature around on a floppy.. ;-P  Again, this will be nice, but I think we need to strike a balance between things.  I like the idea of the say tags saying 'You can't read this, becouse it contains encrypted data', or have a <message type='encryptedDES'>, which, I'd like to point out, is FULLY LEGAL for clients to send..

>While we have to aim for 'Grandma's IM', we shouldn't do so by sacrificing
>security, or features. Does _your_ grandma use crypto?

  Nope, she's dead, and before that, she knew how to use an AIM client that automagically kept her password and logged in when she was online..

Thomas Charron

--== Sent via Deja.com http://www.deja.com/ ==--
Share what you know. Learn what you don't.

More information about the JDev mailing list