[Standards-JIG] UPDATED: JEP-0027 (Current Jabber OpenPGP Usage)

Peter Saint-Andre stpeter at jabber.org
Wed Mar 10 16:19:51 UTC 2004


Hi Justin,

Yes, we need to think about this, don't we?

All the feedback I've received is that developers hate the xmpp-e2e
protocol. It doesn't seem very "Jabberish", it uses S/MIME, it requires
the addition of a CPIM parser (of which none exist AFAIK), etc.

JEP-0116 is more in line with the Jabber Way, enables you to sign and/or
encrypt the complete stanza, and enables you to use whatever keys you
want (so could be used with X.509, PGP, RSA, etc.). It based on the
concept of a "session" so you might think it is not appropriate for
"one-shot" use (by which I take it you mean sending a single stanza);
but nothing restricts a session to a particular GUI or chat window, say.
Or so it seems to me -- this is something we need to discuss. IIRC, the
sending of stanzas to offline entities may be problematic in JEP-0106,
but personally I'm not sure how important that use case is, anyway, in
the context of IM. But that's another item for discussion.

What do you mean by "older e2e drafts"? Things like this?

http://www.jabber.org/ietf/attic/draft-ietf-xmpp-e2e-02.html

That was still limited to PGP, no?

Peter

On Tue, Mar 09, 2004 at 09:32:01PM -0800, Justin Karneges wrote:
> Your update prompted me to ponder some more about end-to-end encryption in 
> Jabber.
> 
> There are many aspects to consider, but I think the first one we should solve 
> is a way to encrypt / sign full stanzas for one-shot use.  The only thing 
> that comes close is xmpp-e2e.  JEP-27 is good for one-shot and offline 
> message use, but unfortunately it does not support full stanza security or 
> signing.  Also, xmpp-e2e is for use with X.509 and JEP-27 is for use with 
> PGP.  The older e2e drafts seemed to be what we wanted...  can we achieve 
> this with the newer revisions?  Or is it time to bring this home to 
> Jabber-land?
> 
> -Justin
> 
> On Tuesday 09 March 2004 8:35 pm, Peter Saint-Andre wrote:
> > I've completed an editorial review of JEP-0027 (Current Jabber OpenPGP
> > Usage) and have made some small modifications that merit updating the
> > version number to 1.2; the changelog is:
> >
> >    Clarified the text in several places; added several more security
> >    considerations and known issues. (psa)
> >
> > http://www.jabber.org/jeps/jep-0027.html
> >
> > Peter




More information about the Standards mailing list