[Security] Re: e2e feedback
Ian Paterson
ian.paterson at clientside.co.uk
Fri Mar 16 07:32:51 CDT 2007
Peter Saint-Andre wrote:
> I'm not saying we'll solve all issues in 1 hour, but at least we can
> get some of the proposals on the table and discuss paths forward.
Yes, we should make the hour as productive as possible. So maybe we can
get some of the proposals "off the table" before the meeting?
What do people think about the idea of not discussing any e2e proposals
that do not meet the e2e "Requirement" for Perfect Forward Secrecy (PFS)?
PFS is a critical security feature that has been a requirement for all
non-storage encryption standards (e.g., TLS/SSH/IPsec).
OpenPGP, S/MIME, xmlenc+xmldsig etc. are only really suitable for
encrypting stored data. (XEP-0136 Message Archiving uses xmlenc.) They
should not be relied upon for encrypting stanza communication sessions.
IMHO we will be wasting our time if we seriously consider them for e2e,
since far more secure and efficient options are available to us.
If you're not convinced, you might be interested in this brief set of
presentation slides: "Off-the-Record Communication, or, Why Not to Use
PGP" http://www.cypherpunks.ca/otr/otr-codecon.pdf
- Ian
More information about the Security
mailing list