[standards-jig] Re: JEP-0102

Jean-Louis Seguineau/EXC/ENG jean-louis.seguineau at antepo.com
Wed Jul 2 21:37:47 UTC 2003


If I understand you correctly, you do not want to implement experimental
JEPs, and the one you want to implement should not be too complex :)

That said, anything that has to do with "security" hardly fit in a three
pages JEP. A look at various RFCs around will confirm that. Maybe, before
being so affirmative that all cases are covered by SSL, PGP and S/MIME you
could have done some superficial research that may have brought answers to
these legitimate questions.

Secondly, although this JEP says experimental (because all JEPs do) it is
far from experimental, as this has been part of our commercial clients that
are used by our customers since the beginning of the year. Its a working
solution that took 1 1/2 month to spec, and a week to implement and test.
Maybe the short implementation time came from a rather thorough spec ...

Finally, everything in the JEP is standard based. On the XML side it uses
XMLSec and XMLDsig, and for the rest we have just implemented IKE (internet
Key Exchange). So nothing really new here but XMPP adaptation.

Peter, I don't understand the point you were trying to make, and I believe
your comment is not appropriate. I understand equally that security issues
are not mainstream for most people, looking at the small number of
constructive comments made so far on the JEP. But I am afraid that any
proper security implementation will have to be as detailed, and probably as
boring...

Jean-Louis Seguineau
Vice-President Engineering, Chief Technology Officer
Antepo, Inc.

Tolerance comes with the acceptance of the unknown - Pascal

----- Original Message -----
> Message: 1
> Date: Tue, 1 Jul 2003 14:01:47 -0700 (PDT)
> From: Peter Ronez <prnz404 at yahoo.com>
> Subject: Re: [standards-jig] JEP-0102
> To: standards-jig at jabber.org
> Reply-To: standards-jig at jabber.org
>
> So, given that I whole heartedly disagree with lets ratify JEPs and get
stuff
> implemented mindset. Jabber would loose its cleanliness if Peter
Saint-Andre
> and the other Jabber.org people where ratifying JEPS left and right. The
most
> important thing to note here is that its incredibly difficult if not
impossible
> to undo bad decisions once they've been approved.
>
...
> That brings me to JEP 102. Wow, what a complicated JEP that seems to be
partly
> redundant with the SSL, PGP, S/MIME stuff found in the IETF
specifications. I'm
> not a cryptanalyst so I can comment further. I do think that the SSL and
> PGP/S-MIME support is adequate for most paranoid users even if it doesn't
have
> all the key exchange and what not. However, I'm looking forward to being
> disproved and being shown that this JEP is exactly what everyone needs.
>





More information about the Standards mailing list