[Security] PGP (XEP-0027)

David Banes david at banes.org
Tue Jun 2 19:50:59 CDT 2009

On 03/06/2009, at 9:17 AM, Peter Saint-Andre wrote:

> Hash: SHA1
> On 6/2/09 3:49 PM, Dave Cridland wrote:
>> On Tue Jun  2 21:43:00 2009, Peter Saint-Andre wrote:
>>> Thanks for the clarification. Personally I'd love to have key- 
>>> login to
>>> XMPP servers (and HTTP servers!)
>> Pick the right client and server, and you can do this already, albeit
>> with X.509 rather than PGP.
> Problem is, how many people have PGP keys or X.509 certs? Even the
> security geeks on this list don't seem to use such technologies!

We solved a similar problem with CipherIM in '99 by creating an RSA/ 
DSA key pair during installation, using a password strength test  
algorithm, then using the result to create conversation level session  
keys once an SSL connection was up end to end.(client-server-client).

It all worked well, even our DSD contact here liked the end result, so  
much so we had to get a cypto export license.

Maybe the spec would allow ISV's to create an X.509 certificate at  
install time, on demand or use a supplied one from a CA.

The security is then as strong as the end user can be bothered to put  
in place.

>>> so that we could move beyond passwords
>>> for authentication.
>> To be fair, that needs smart cards. (Unless you ignore the passphrase
>> needed somewhere).
> I meant that passwords need not be exchange over the wire if you're
> Peter
> - --
> Peter Saint-Andre
> https://stpeter.im/
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> k5MAoPVo07w6FX3coFSwPOQfOx8aXg64
> =BNbg

Email Filtering by Cleartext a Carbon Minimised company - www.cleartext.com

More information about the Security mailing list