[JDEV] Message security [was File Transfer]

Jens Alfke jens at mac.com
Tue Apr 10 12:16:05 CDT 2001


On Tuesday, April 10, 2001, at 09:36 AM, Mathew Johnston wrote:

> Check out www.megaepic.com/~johnston/newencryption.txt - its a proposal
> that we're working on to get some better encryption support into jabber.

This looks good. I'm glad to see it piggybacking on a standard XML 
encryption scheme, especially one that can contain an entire <message> 
element.

For public key exchange, why not store the key (a complete certificate, 
actually) on the server using the public data space* described in [JPO 
1.6.10] (confusingly under the "jabber:iq:private" namespace 
description!) Just declare a new namespace like 
"jabber:public:publickey" and store your certificate in an XML element. 
No new protocol needed.

The only issue I can see is that it allows anyone to get the public key, 
but that shouldn't cause problems; it is after all a public key. If only 
buddies could get it, you wouldn't be able to send a signed message to a 
non-buddy and have them be able to verify it.

You note that key exchange is vulnerable to attack. I think this isn't 
an issue if what's exchanged is a full certificate signed by a reputable 
CA, since no one could spoof such a certificate. Right?

—Jens

(*In general I'm pretty excited about this public data space, which I 
just discovered last night since its description is pretty well 
concealed :-) In particular I think can be the solution to my earlier 
issue about how to transfer buddy icons -- just store a small image 
under a particular namespace, and anyone who wants to display your 
picture in their buddy list can download it. There are a couple of 
issues which I'll address in a proposal I plan to post ASAP.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1899 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20010410/565f30df/attachment-0002.bin>


More information about the JDev mailing list