[Security] Gajim 0.12's E2E encryption UI

Simon Josefsson simon at josefsson.org
Fri Aug 22 07:20:45 CDT 2008


Dirk Meyer <dmeyer at tzi.de> writes:

> But maybe the c2c user talk is completly different from c2c remote
> control. In my use case X.509 certificates and TLS-RSK seems to be
> exactly what I need, but I need a least sign all my client keys
> somehow (setting up a private CA is very complicated or can someone
> send me script doing that WITHOUT user interaction?). I agree that
> OpenPGP sounds better when creating a web of trust.

Here's an idea: standardize on "just-use-TLS" and write a few "XMPP
application TLS profiles" for how

  1) human chat should be authenticated (OpenPGP, SRP, leap-of-fait, etc
     or whatever the discussions results in) and

  2) more specific applications like remote control where X.509 client
     certificates and existing CA structures are more appropriate (if
     that is actually the case, but I can well imagine that it is).

  3) etc for other kind of XMPP needs.

It would be unfortunate to standardize on TLS+OpenPGP+SRP or whatever
that discussion results in, and then realize that TLS used in a
different way is more appropriate for some set of users.  Better to
realize that different users will have different requirements on the
security used.

For example, I can imagine that XMPP users within an organization that
uses Kerberos will want to require that Kerberos is used to authenticate
all XMPP secured channels.  (Not that there is a good way to use
Kerberos in TLS today, but that may change sooner than you think...)

Disclaimer: I'm not an XMPP expert, so this approach may be totally
inappropriate for how XMPP is standardized.

/Simon


More information about the Security mailing list