[standards-jig] A late security comment on JEP-0020 (and random comments about #31)

David Waite mass at akuma.org
Thu May 16 00:41:13 UTC 2002

After thinking about it a bit, I agree that negotiation of security 
algorithms is only acceptable via JEP-0020 is only viable if man in the 
middle attacks are considered an acceptable risk. You must require some 
form of trusted secret in order to prevent man in the middle attacks (or 
physical protection between the endpoints :-)).

random question about JEP-0031 - why does all data need to be processed 
in network-byte-order UTF-16; Jabber requires only UTF-8 support to 
connect, so that means all clients will require some mechanism for 
handling both character encodings (and conversion between). UTF-8 also 
has the benefit of not having system byte endianness as an issue. Also, 
does the data need to be normalized for these algorithms to work? (I 
assume it does for any sort of signing to function correctly, but I'm 
still only a third of the way through your JEP)

-David Waite

Paul Lloyd wrote:

>David Waite wrote:
>>I might be off my rocker, but I thought this is exactly how SSL
>>negotiates such things. You just don't say you will accept a wimpy
>>scheme if it is too wimpy for your uses.
>Please see sections F.1.2 & F.1.3 of http://www.ietf.org/rfc/rfc2246.txt
>It's actually not as simple as just saying no,
>  |\/\/\/|        "I DIDN'T DO IT, MAN!"
>  |      |
>  |      |        Paul Lloyd
>  | (o)(o)        Infrastructure Strategic Engineering
>  C      _)       Strategy and Architecture Leadership Team
>   | ,___|        voice:          650-236-3704
>   |   /          FAX:            650-236-3632
>  /____\          MSN Messenger:  paul_lloyd at hp.com
> /      \         plloyd at corp.hp.com
>Standards-JIG mailing list
>Standards-JIG at jabber.org

More information about the Standards mailing list