[JDEV] Message security [was File Transfer]
jens at mac.com
Tue Apr 10 12:16:05 CDT 2001
On Tuesday, April 10, 2001, at 09:36 AM, Mathew Johnston wrote:
> Check out www.megaepic.com/~johnston/newencryption.txt - its a proposal
> that we're working on to get some better encryption support into jabber.
This looks good. I'm glad to see it piggybacking on a standard XML
encryption scheme, especially one that can contain an entire <message>
For public key exchange, why not store the key (a complete certificate,
actually) on the server using the public data space* described in [JPO
1.6.10] (confusingly under the "jabber:iq:private" namespace
description!) Just declare a new namespace like
"jabber:public:publickey" and store your certificate in an XML element.
No new protocol needed.
The only issue I can see is that it allows anyone to get the public key,
but that shouldn't cause problems; it is after all a public key. If only
buddies could get it, you wouldn't be able to send a signed message to a
non-buddy and have them be able to verify it.
You note that key exchange is vulnerable to attack. I think this isn't
an issue if what's exchanged is a full certificate signed by a reputable
CA, since no one could spoof such a certificate. Right?
(*In general I'm pretty excited about this public data space, which I
just discovered last night since its description is pretty well
concealed :-) In particular I think can be the solution to my earlier
issue about how to transfer buddy icons -- just store a small image
under a particular namespace, and anyone who wants to display your
picture in their buddy list can download it. There are a couple of
issues which I'll address in a proposal I plan to post ASAP.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 1899 bytes
Desc: not available
More information about the JDev