[Security] Re: e2e feedback

Ian Paterson ian.paterson at clientside.co.uk
Fri Mar 16 07:32:51 CDT 2007


Peter Saint-Andre wrote:
> I'm not saying we'll solve all issues in 1 hour, but at least we can 
> get some of the proposals on the table and discuss paths forward.

Yes, we should make the hour as productive as possible. So maybe we can 
get some of the proposals "off the table" before the meeting?

What do people think about the idea of not discussing any e2e proposals 
that do not meet the e2e "Requirement" for Perfect Forward Secrecy (PFS)?

PFS is a critical security feature that has been a requirement for all 
non-storage encryption standards (e.g., TLS/SSH/IPsec).

OpenPGP, S/MIME, xmlenc+xmldsig etc. are only really suitable for 
encrypting stored data. (XEP-0136 Message Archiving uses xmlenc.) They 
should not be relied upon for encrypting stanza communication sessions. 
IMHO we will be wasting our time if we seriously consider them for e2e, 
since far more secure and efficient options are available to us.

If you're not convinced, you might be interested in this brief set of 
presentation slides: "Off-the-Record Communication, or, Why Not to Use 
PGP" http://www.cypherpunks.ca/otr/otr-codecon.pdf

- Ian



More information about the Security mailing list