[Security] Re: e2e feedback

Justin Karneges justin at affinix.com
Sat Mar 17 01:50:42 CDT 2007


On Friday 16 March 2007 8:08 pm, Peter Saint-Andre wrote:
> Mridul wrote:
> > I always considered 3923 a pretty decent idea since it was practical ...
>
> Practical, other than the PKI dependency (or can you use self-signed
> certificates?) and the CPIM usage (which developers hate, there are no
> CPIM parsers) and the MIME stuff (very much not jabberish). As someone
> once said, S/MIME is the only known security technology with more
> implementations than users. :)

You could use self-signed certificates if you don't want to drag in the PKI.  
This should be the case with any X.509-based protocol.

True, CPIM and MIME aren't very Jabber-ish.  We could get rid of those if we 
wanted to and just use S/MIME alone (which, I wrote a JEP proposal for, if 
anyone remembers).  That said, if there were a simplicity contest, CPIM and 
MIME would win against most of the other e2e suggestions, so I wouldn't be 
afraid of having to implement them. :)

Unfortunately, S/MIME doesn't provide forward secrecy.  For live chat, we can 
do better.

-Justin


More information about the Security mailing list