[Security] PGP (XEP-0027)

Peter Saint-Andre stpeter at stpeter.im
Tue Jun 2 20:09:51 CDT 2009

Hash: SHA1

On 6/2/09 6:50 PM, David Banes wrote:
> On 03/06/2009, at 9:17 AM, Peter Saint-Andre wrote:
> On 6/2/09 3:49 PM, Dave Cridland wrote:
>>>> On Tue Jun  2 21:43:00 2009, Peter Saint-Andre wrote:
>>>>> Thanks for the clarification. Personally I'd love to have key-login to
>>>>> XMPP servers (and HTTP servers!)
>>>> Pick the right client and server, and you can do this already, albeit
>>>> with X.509 rather than PGP.
> Problem is, how many people have PGP keys or X.509 certs? Even the
> security geeks on this list don't seem to use such technologies!
>> We solved a similar problem with CipherIM in '99 by creating an RSA/DSA
>> key pair during installation, using a password strength test algorithm,
>> then using the result to create conversation level session keys once an
>> SSL connection was up end to end.(client-server-client).
>> It all worked well, even our DSD contact here liked the end result, so
>> much so we had to get a cypto export license.
>> Maybe the spec would allow ISV's to create an X.509 certificate at
>> install time, on demand or use a supplied one from a CA.
>> The security is then as strong as the end user can be bothered to put in
>> place.

Thanks for the perspective. I think that's pretty much what we're
proposing here. And only 10 years after CipherIM. ;-)


- --
Peter Saint-Andre

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Security mailing list