[Security] GSoC proposal: Identity-based end-to-end encryption for XMPP

Brian Spector brian.spector at certivox.com
Tue Mar 15 17:17:26 CST 2011


This ignorance on this board is truly stunning.  It's actually hard to
argue with the logic presented here.

>> The primary advantage of an IBE system is that you can encrypt to
>> people whose credentials you don't have (and may not even have any
>> yet). However, since this is a real-time exchange, that benefit does
>> not applyhere.

Anyone with a cursory knowledge of crypto knows the issues in scaling PKI
are immense.
Identity based cryptosystems come in all shapes and sizes, not just
identity based encryption, but identity based key agreements, hierarchical
key systems, etc.
And there are PLENTY of well-known IBCs that are IPR free  (well, at least
to anyone who isn't lazy enough to look beyond Boneh-Franklin).

Further, I think there are some people on this list that are also on the
IETF draft bodies, and they know the proposals coming down the river, and
WHY they are coming down the river, and no one has spoken up yet for this
guy and his idea.  If that's the case, that's shameful.

David, it's a great idea, it's important, and I'll find a way to rustle up
the resources to sponsor you.

I think I can relegate this board to a Google archive rather than have it
pollute my inbox anymore.

FAIL.

-----Original Message-----
From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
Behalf Of Eric Rescorla
Sent: 15 March 2011 15:32
To: XMPP Security
Subject: Re: [Security] GSoC proposal: Identity-based end-to-end
encryption for XMPP

On Tue, Mar 15, 2011 at 8:20 AM, David Núñez <dnunez at lcc.uma.es> wrote:
> The idea is to use the XMPP servers as Key Generation Centers (KGC),
since they already provide procedures for user authentication. Thus, the
project would have to develop the server components required to issue
private keys to users, among others. I think that the fact that the JID of
the user you want to securely communicate could act as a public key is
interesting to the XMPP protocol.

Yes, this does not add any value over a standard PKI system.

-Ekr

> However, I am aware that there have been several responses to my
proposal, and it seems that it is not very interesting to XMPP. I would
like to thank you for your thoughtful insights. As one of you suggested in
a previous response, I will study in more depth the current problems in
end-to-end communication in XMPP and try to propose something else. I was
hoping to participate in this Google Summer of Code edition. Any ideas
that could be arranged as a proposal?
>
> Best regards,
> David.
>
> El 15/03/2011, a las 15:47, Eric Rescorla escribió:
>
>> On Tue, Mar 15, 2011 at 7:14 AM, David Núñez <dnunez at lcc.uma.es> wrote:
>>> Thank you for your response. Respect to your first point, one
advantage of the proposed scheme is that it is an alternative to digital
certificates and its associated distribution infrastructure, as it relies
on the identity of the users as public keys.
>>
>> I don't know what this means. An IBE system requires a central key
>> generation server which needs to verify users identities and only
>> issue keys when appropriate. The processing done by the KGS looks
>> very much like that done by a CA.
>>
>> The primary advantage of an IBE system is that you can encrypt to
>> people whose credentials you don't have (and may not even have any
>> yet). However, since this is a real-time exchange, that benefit does
>> not applyhere.
>>
>> -Ekr
>
>
***** Email confidentiality notice *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

CertiVox Ltd is a company registered in England and Wales. Registered number: 7498769. Registered office: 145-157 St. John Street London EC1V 4PY



More information about the Security mailing list