[standards-jig] Essence of Jabber

David Waite mass at akuma.org
Thu Mar 7 02:06:35 UTC 2002


This really depends on the definition and requirements for 'secure'. If 
only messages and authentication need to be secured, SASL and PGP cover 
all the bases. If man-in-the-middle vulnerability is acceptable, you 
don't even need PGP.

However, SSL does not provide any guarantees whatsoever for messages 
when sent between servers, or against man-in-the-middle. It also adds a 
large amount of setup traffic for connections, adds requirements for 
certificates (which aren't in every installation's budget), adds latency 
for all traffic, and increases the memory and processor utilization of 
the server. There are also (or at least were) countries where encryption 
technologies like SSL are not allowed.

IMHO, we should establish requirements before requiring certain security 
features. It is rather probable that different applications of Jabber 
will have different requirements as well, which SSL may very well not meet.

-David Waite

Shawn Wilton wrote:

>Honestly, I think ssl compatible connections should be required.  We should
>put forth some effort to provide a more secure service.  Do they have to
>turn it on, no.  But if you wanna talk compliance, then it should be forced
>for inclusion in a product.
>
>_______________________________________________
>Standards-JIG mailing list
>Standards-JIG at jabber.org
>http://mailman.jabber.org/listinfo/standards-jig
>






More information about the Standards mailing list