[Security] PGP (XEP-0027)

Peter Saint-Andre stpeter at stpeter.im
Tue Jun 2 20:09:51 CDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/2/09 6:50 PM, David Banes wrote:
> 
> On 03/06/2009, at 9:17 AM, Peter Saint-Andre wrote:
> 
> On 6/2/09 3:49 PM, Dave Cridland wrote:
>>>> On Tue Jun  2 21:43:00 2009, Peter Saint-Andre wrote:
>>>>> Thanks for the clarification. Personally I'd love to have key-login to
>>>>> XMPP servers (and HTTP servers!)
>>>>
>>>> Pick the right client and server, and you can do this already, albeit
>>>> with X.509 rather than PGP.
> 
> Problem is, how many people have PGP keys or X.509 certs? Even the
> security geeks on this list don't seem to use such technologies!
> 
> 
>> We solved a similar problem with CipherIM in '99 by creating an RSA/DSA
>> key pair during installation, using a password strength test algorithm,
>> then using the result to create conversation level session keys once an
>> SSL connection was up end to end.(client-server-client).
> 
>> It all worked well, even our DSD contact here liked the end result, so
>> much so we had to get a cypto export license.
> 
>> Maybe the spec would allow ISV's to create an X.509 certificate at
>> install time, on demand or use a supplied one from a CA.
> 
>> The security is then as strong as the end user can be bothered to put in
>> place.

Thanks for the perspective. I think that's pretty much what we're
proposing here. And only 10 years after CipherIM. ;-)

Peter

- --
Peter Saint-Andre
https://stpeter.im/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkolzV8ACgkQNL8k5A2w/vxIQACeNLJFF7Z3HuZ0PEivh0nsRgUO
rAYAoMVvaN8KdwuqcdVNByKGfGv1dTAQ
=JebG
-----END PGP SIGNATURE-----


More information about the Security mailing list