[Standards-JIG] UPDATED: JEP-0027 (Current Jabber OpenPGP Usage)

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Wed Mar 10 18:08:54 UTC 2004


On Wednesday 10 March 2004 8:19 am, Peter Saint-Andre wrote:
> All the feedback I've received is that developers hate the xmpp-e2e
> protocol. It doesn't seem very "Jabberish", it uses S/MIME, it requires
> the addition of a CPIM parser (of which none exist AFAIK), etc.

On top of this, it doesn't appear that xmpp-e2e can secure an <iq> stanza, 
which I think could be useful (see below).

> What do you mean by "older e2e drafts"? Things like this?
>
> http://www.jabber.org/ietf/attic/draft-ietf-xmpp-e2e-02.html
>
> That was still limited to PGP, no?

Under 'Requirements', item 3 says that either PGP or S/MIME should be 
possible.

> JEP-0116 is more in line with the Jabber Way, enables you to sign and/or
> encrypt the complete stanza, and enables you to use whatever keys you
> want (so could be used with X.509, PGP, RSA, etc.). It based on the
> concept of a "session" so you might think it is not appropriate for
> "one-shot" use (by which I take it you mean sending a single stanza);

Yes, secure session is absolutely needed also, and we need to pursue it.

However, I do think one-shot security is still useful alone, for three 
reasons:  encrypting of offline messages, signing of presence, and signing of 
groupchat messages, all of which seem to have no solution otherwise (at least 
none has been presented in over a year of such discussion).  And we want both 
PGP and S/MIME here.

Also, I think one-shot security of <iq> could allow us to leverage the feature 
for use with session security.  For instance, JEP-116 could be greatly 
simplified by using 'jabber-e2e' to trade a session key instead of having its 
own separate procedure.  We can stack our JEPs this way.

-Justin



More information about the Standards mailing list