[Standards-JIG] Questions on RFC 3923

Jens Mikkelsen gyldenskjold at mail.dk
Tue Dec 7 22:02:41 UTC 2004


Hi list,

I have been looking at RFC 3923 
"End-to-End Signing and Object Encryption for the Extensible Messaging
and Presence Protocol (XMPP)"
and I have a few questions I was hoping you could help me figure out.

It says:
       *  When A establishes a SUBSCRIPTION to B's PRESENCE INFORMATION,
          the protocol MUST provide A means of verifying the accurate
          receipt of the content B chooses to disclose to A.  (Section
          5.1.4)

       *  The protocol MUST provide A means of verifying that the
          presence information is accurate, as sent by B.  (Section
          5.3.1)

This seems strange. How can you ensure this when the server is like an
arbitrator between the presence informator and the presence subscribers.
This breaks with the jabber idea, as I see it. Now you have to broadcast
precense because you need to sign it. Right?

further:
       *  Prior to signing and/or encrypting, the format of an instant
          message MUST conform to the CPIM Message Format defined in
          [MSGFMT].

Hmmm... As I see it, this destroys the jabber protocol. Wrapping the
message in a M   |   Content-type: Message/CPIM
   |   <message to='romeo at example.net/orchard' type='chat'>
   |     <e2e xmlns='urn:ietf:params:xml:ns:xmpp-e2e'>
   |
   |   From: Juliet Capulet <im:juliet at example.com>
   |   To: Romeo Montague <im:romeo at example.net>
   |   DateTime: 2003-12-09T11:45:36.66Z
   |   Subject: Imploring
   |
   |   Content-type: text/plain; charset=utf-8
   |   Content-ID: <1234567890 at example.com>
   |
   |   Wherefore art thou, Romeo?essage/CPIM like this:
   |     </e2e>
   |   </message>
seems to make the jabber XML despesible. There's no reason to extend the
packet to contain more than one "to" and "from" fields.
The same counts for presence packets.

Further regarding timestamps:
   o  It MUST verify that the timestamp received is within five minutes
      of the current time.

Dosn't this break with the idea of a message waiting on the server for
you untill you get online?

This whole RFC seems to be destroying the idea of jabber. Probably
everyone will use encrypted IMs in a few years, so this should be
changed.

Why don't continue with the jabber XML? 
My first idea was that for instance the message protocol could be used
with a child that told what the encryption whas like this:

<message type='chat' to='example at jabber.org/Home'>
  <body>
    <RSAEncandsigned>
	an encrypted and signed message using RSA encryption
    </RSAEncandsigned>
  </body>
</message>

Is this totaly stupid?

Hope you can give me some input on this.

Best regards
Jens Mikkelsen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mail.jabber.org/pipermail/standards/attachments/20041207/8f75f3d8/attachment.sig>


More information about the Standards mailing list