[Standards-JIG] JEP-0008 vs. JEP-0027

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Mon Apr 26 21:00:11 UTC 2004


On Monday 26 April 2004 8:50 am, Joe Hildebrand wrote:
> Yes, as soon as we agree on a replacement.
>
> Note that there is no actual need for the presence to be signed anymore,
> other than for backward-compatibility.  It doesn't provide any real
> security, since it's subject to replay attacks, JEP-115 is a better way to
> signal the capability to do PGP, and pub/sub is a better way of finding and
> distributing keys.

Totally agree.  However, signed presence can be useful if done properly.  
jep-secure and xmpp-e2e both cover signed presence, and so whatever 
supercedes jep-27 will still have the ability to bloat out a presence packet.  
However, I think stanza security is a very special scenario, not on the same 
level as avatars.

-Justin



More information about the Standards mailing list