[Operators] requiring channel encryption

Peter Saint-Andre stpeter at stpeter.im
Thu May 8 16:03:55 CDT 2008


On 05/01/2008 7:00 AM, Jesse Thompson wrote:
> Jonathan Schleifer wrote:
>> Peter Saint-Andre <stpeter at stpeter.im> wrote:
>>> Perhaps at jabber.org we will require c2s encryption before we require
>>> s2s encryption. But I think it's worthwhile to make the effort...
>>
>> I think the other way around would be more useful. First, force those
>> who have the knowledge to fix it in a few minutes (it's just generating
>> a cert and one option - in every Jabber server). If that succeeded, we
>> can force those who maybe have less knowledge and need some time to
>> figure it out.
>> Anyway, forcing it for s2s would be faster achievable than having all
>> clients use STARTTLS by default.
>> This, I'd recommend trying to force TLS for s2s first.
> 
> I disagree.  Encrypting passwords is much more important than encrypting
> s2s content.  Protecting the password is a concern for 100% of users.
> Protecting the content of s2s conversations is important, but I doubt
> that more than 5% of users really need it (not everyone uses s2s, and
> not everyone that uses s2s puts sensitive data in a chat conversation

Do you mean encrypting them over the wire or in the backend account store?

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080508/b0bfee0f/attachment.bin 


More information about the Operators mailing list