[Security] PGP (XEP-0027)

Jonathan Schleifer js-xmpp-security at webkeks.org
Tue Jun 2 12:56:35 CDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Peter Saint-Andre <stpeter at stpeter.im> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 6/2/09 11:02 AM, Stephen Paul Weber wrote:
> > Somebody signing messages as Peter Saint-Andre wrote:
> >> As I understood it, we were thinking that clients would generate a
> >> simple key (not PGP) for use in session security. That key could be
> >> signed with an OpenPGP key or X.509 cert if the user has such a
> >> beast, but we would not introduce a dependency on OpenPGP or X.509.
> > 
> > Instead you would introduce a dependency on some new key format of
> > your invention? This does not seem to be a win.  The benefit of
> > supporting OpenPGP and X.509 keys is the formats are already
> > standardised, well understood and supported, and widely depolyed.
> 
> No, we would probably use DSA keys. We're not in the business of
> making new key formats here. :)

What about RSA and ECDSA? And what about key size, will it be limited
to 1024 with DSA just like in OpenPGP? 1024 can already be broken with
modern hardware.

What if DSA gets completely broken someday? Then we're screwed. And if
we want to be algorithm-independant, we need to implement something
very similar to OpenPGP anyway.

- -- 
Jonathan
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAwAGBQJKJWfWAAoJEMtRg9d5cXHku4AP/0aKEx0qbEoWMOv2pcYB911d
e47bbWrmvUHQcJgvpeHrM9aYWal5ZB6+7ARtumSpRllURtDpjFIDzoAkM5Ay4ATC
3wqBIB88btUHg4u1y3qNN4XZvPhdk+8Mun6CxW50iMsjukT1yVps0+zqIVbq0z6q
aqnKMSX3qLBVJhsCX3+Mvs4uTXxOaNIZmfYNW+/MzqcSZtS1g6/WokZmkn50+O52
zhSeLweV3PmA+Z3d694hxDv7RSZi3AsV3Fk188WhgsPr+kB+BzIAj21QwuugvTtl
FQVp8+SNa9UC+A4aD9Sp7+DSRoC8NGR0kh4bbm2G3TWXpMijGGZXVlRloMxIZRSh
3JB15UmwEMlChqi7/upR/RO+ZSABQrxL9BuQn3/5wl5NCMIeWPQbg2sZL37S24ny
Gee/+rCvy85pRPrh8Ojez9jep1OQPMx+ON/2IPXwnsycMtGvuM3g5GGczOFvQNnw
CWFVoI8bSWCulOBTesqOqr9/yPEKWtIyPUpeYEPbtDjCH1DAqsGJ31hKtscAYk8A
WixCQ2Bv1Flyczywme+f/PtcjMinsk8R/BN0iNO/6sy4HZUDIxnFVgt6WmnWEl/m
oH7o5AjQDCvVudbeSfSCa/ysY8A+MvHHlX/s+8wjOEXR+AuBkhr5nZUrDHR+Igbk
M6lFIR2LBqRvY92SJUeI
=E/eD
-----END PGP SIGNATURE-----


More information about the Security mailing list