[Security] PGP (XEP-0027)

Simon Josefsson simon at josefsson.org
Wed Jun 3 00:24:07 CDT 2009


Peter Saint-Andre <stpeter at stpeter.im> writes:

> On 6/2/09 2:34 PM, Simon Josefsson wrote:
>> Peter Saint-Andre <stpeter at stpeter.im> writes:
>> 
>>> On 6/2/09 1:56 PM, Dave Cridland wrote:
>>>> On Tue Jun  2 18:56:35 2009, Jonathan Schleifer wrote:
>>>>> What if DSA gets completely broken someday? Then we're screwed. And if
>>>>> we want to be algorithm-independant, we need to implement something
>>>>> very similar to OpenPGP anyway.
>>>> Or TLS.
>>>>
>>>> Which, incidentally, can use PGP keys.
>>> AFAIK only GnuTLS has (experimental) support for RFC 5081 (which is
>>> itself experimental):
>>>
>>> http://tools.ietf.org/html/rfc5081
>> 
>> The OpenPGP implementation in GnuTLS is not experimental.  I believe the
>> RFC is experimental for IETF political reasons, there is no organized
>> experiment conducted as far as I know.
>
> Thanks for the clarification. Personally I'd love to have key-login to
> XMPP servers (and HTTP servers!) so that we could move beyond passwords
> for authentication. Perhaps we need to lean on the OpenSSL folks about
> this, too?

It seems http://rt.openssl.org/Ticket/Display.html?id=1794 is the place
to do that. ;)

While I like PGP/X509 to be used, I think it is important to also
support secure communication to happen based on a shared secret.  While
the security industry likes to believe public key solutions will solve
everything, what normal people understand will continue to be
"passwords".  And it should be possible to build a secure communication
system bootstrapped from a password.  One approach is for
implementations to generate the X509/PGP certs on the fly, and
authenticate them using the shared secret.

/Simon


More information about the Security mailing list