[standards-jig] Essence of Jabber
mass at akuma.org
Thu Mar 7 02:06:35 UTC 2002
This really depends on the definition and requirements for 'secure'. If
only messages and authentication need to be secured, SASL and PGP cover
all the bases. If man-in-the-middle vulnerability is acceptable, you
don't even need PGP.
However, SSL does not provide any guarantees whatsoever for messages
when sent between servers, or against man-in-the-middle. It also adds a
large amount of setup traffic for connections, adds requirements for
certificates (which aren't in every installation's budget), adds latency
for all traffic, and increases the memory and processor utilization of
the server. There are also (or at least were) countries where encryption
technologies like SSL are not allowed.
IMHO, we should establish requirements before requiring certain security
features. It is rather probable that different applications of Jabber
will have different requirements as well, which SSL may very well not meet.
Shawn Wilton wrote:
>Honestly, I think ssl compatible connections should be required. We should
>put forth some effort to provide a more secure service. Do they have to
>turn it on, no. But if you wanna talk compliance, then it should be forced
>for inclusion in a product.
>Standards-JIG mailing list
>Standards-JIG at jabber.org
More information about the Standards