[JDEV] Security & the Java Jabber server
jabber_dev at hotmail.com
Mon Jul 2 13:55:48 CDT 2001
Hi Al and Iain,
I would like to participate and contribute to the development of the Java
Jabber server. As you both have pointed out there are definitely very good
reasons to have an implementation in Java.
Apart from the issues you both have brought out, I am also personally
interested in trying to figure out how to tie in XML-DSIG to add security,
especially when you start talking about 'enterprise grade' communications.
Another interest is to see if and how Kerberos fits in. The concept of
sessions can be pretty pertinent to communications and this might be an
area for something like kerberos to come in.
Are you guys planning on starting up some kind of a virtual team of people
together soon? I would hate to see this one get shelved :-). We might also
be able to contribute a lot to the standardization folks!
Looking forward to more ideas/comments.
>My primary focus for developing the Java Jabber server is ease of
>installation & configuration. I've seen numerous requests about >problems
>in jabberd.xml so I'm trying to make the system require the >minimum level
>of detail in a configuration file (possibly just the >server name), and use
>feratures within java (such as reflection) to >figure out whats available.
>On the security front, I've been looking at the use of digital >signatures
>a asymetric crytpography to improve trust relationships. The >areas that
>affect what you bring up are;
>1) Client -> Server: The use of signed digital certificates which are
> >signed by a known entity (possibly Jabber.com, and/or others), to >verify
>the servers name, IP, and any other details in a similar was as >TLS.
>2) Server -> Server: The establishment to a key bank (possibly
> >distributed) in which jabber servers store their public keys, data then
> >sent from server A to server B can be encrypted by Server A using it's
> >private key, send to B, B can fetch A's public key from the key store,
> >and decrypt the data. This would give not only server to server message
> >security, but also verification of server A's identity.
>I'm also keen on developing the idea of using a Jabber server as a >central
>authentication location so that 3rd party apps can make use of >jabber for
>These are still only my ideas, and they haven't been discussed, so if >you
>have any comments I'd welcome them.
>Any general comments should go through this list, but if you want to >talk
>to me specifically about something you can either mail me or try >and grab
>me on Jabber at al at personalbuddy.com
Get your FREE download of MSN Explorer at http://explorer.msn.com
More information about the JDev