[standards-jig] Thoughs about DSPS/JOBS

Jan Niehusmann jan at gondor.com
Mon Dec 2 14:56:52 UTC 2002


On Wed, Nov 27, 2002 at 09:38:26AM -0800, Matthew A. Miller wrote:
> I said AUTHENTICATION, not ENCRYPTION.  Line tapping is irrelevant in
> this argument.  However, the very classic "man-in-the-middle" attack is
> still a significant factor, and JOBS at least attempts to address this. 
> DTCP does not.

I don't see how JOBS and DTCP differ significantly in terms of
authentication. Both are safe as long as no line tapping takes place,
and both are vulnerable to man-in-the-middle attacks. 

Only an attacker who could read the jabber stream (but not change it)
could attack DTCP, because he would have access to the 'key' exchanged
between the connecting parties. 

But it's difficult to imagine an attacker who could read the jabber
stream without the ability to modify it. And if he could insert data
into the jabber stream, he could attack JOBS as well. 

As DTCP allows TLS, strong authentication could be added, by some
kind of key management. An open question would be how one could tie a
TLS certificate to given jabber ID, securely.

Jan




More information about the Standards mailing list