[Standards-JIG] Questions on RFC 3923

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Wed Dec 8 04:36:03 UTC 2004


On Tuesday 07 December 2004 07:14 pm, Jens Mikkelsen wrote:
> As I see it the non-CPIM part is the most important.
> I am not that much in to the S/MIME. I looked a bit at the RFC, but not
> enough to se whats the problem with it. What are pros and cons? As I
> read it, you can use RSA with S/MIME. Right? Do you have anymore info on
> XMLEnc?

An X.509 certificate is simply a container for a public key (of which RSA is 
one possible type) along with some meta data about the owner.  As I 
understand it, S/MIME lets you encrypt/decrypt/sign/verify data using X.509.  
So yes, you can use RSA with S/MIME.  That's what would happen if your 
certificate contained an RSA key.

As for XMLEnc, the spec can be found here:
  http://www.w3.org/TR/xmlenc-core/
And I forgot to mention the signing spec also, which is here:
  http://www.w3.org/TR/xmldsig-core/

Probably the best reason to use xmlenc is to avoid having to create a new 
format for symmetric encryption.  Since S/MIME is essentially asymmetric, 
we'd need something different for symmetric.  With xmlenc, we can do one or 
both at our selection.

> > Another thing you may have noticed is that I omitted PGP support in this
> > listing.
[...]
> This seems reasonable.
> I don't think asynchronical encryption is completely satisfactory for
> Jabber. I see IM's as being very usefull in distributed systems with
> filesharing etc. I think this is the future. If files are being
> transfered all the time, synchronical encryption seems more efficient.
> As I see it asyncronical encryption should be used for messages, and
> single file transfers, but when multible files/video/voice are being
> send to multible persons the protocol should use synchronical
> encryption.

Well, both S/MIME and PGP involve asymmetric security.  I totally agree that 
for most data transfer only symmetric encryption is necessary, and so 
asymmetric security should only be used as "setup".  However, the rationale 
for omitting PGP was simply to standardize on one public key format (X.509) 
instead of two (X.509 /and/ PGP).

At this point, we just need good asymmetric security for single stanzas.  We 
can build everything else off of that.

-Justin



More information about the Standards mailing list