[JDEV] Security in XMPP/Jabber: some questions

Perry Lorier perry at coders.net
Fri May 23 06:54:25 CDT 2003

Hash: SHA1

> if we take a closer look about SASL there's kerberos, tsl - that is
> the ietf version of netscape's ssl ver 3 , GSSAPI - i've to admit that
> i didnt understand this mechanism much , s/key and external mechanisms
> of authentication... and my question is, why not a simple
> authentication using the pki and based on certification authorities?

A) people want single signon, (which is what kerberos is good at, it
lets you give a password when you login, which can then be used to grant
tickets to give to services such as jabber)

B) Who will the certification authority be?  verisign? a 128 bit key is
16 bytes.  verisign currently sign certificates at $895(US) per year.
thats $7 per bit per year, perhaps the most expensive bits on the
planet.  This would prevent enthusiests from running a jabber server.
If you're going to require that each user has a personal certificate to
authenticate against jabber, although they are (currently) free I
believe, it's a lot of hassle to connect.

C) If you don't have your private key where you are you can't login.  I
can't just load up my jabber client at a friends place to check my
messages, because I'd have to find my private key and make sure it was
available on my friends computer.

> public keys, diffie-helman agreement to create session kyes,

If you use TLS/SSL then it will use diffie-helman to generate session
keys anyway.

> zero-knowledge agreement between servers and clients (note, not
> between clients and servers, server must identify himself first),
> chalange-answer between clients and servers, and one of this two
> between servers and servers ... i think this is pretty much secure
> than anything ...

Security is a trade off between security and ease of use.  

- -- 
This is National Non-Dairy Creamer Week.
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Only when you are sure they have you, can you stop being paranoid


More information about the JDev mailing list