[Standards-JIG] UPDATED: JEP-0027 (Current Jabber OpenPGP Usage)
justin-keyword-jabber.093179 at affinix.com
Wed Mar 10 18:08:54 UTC 2004
On Wednesday 10 March 2004 8:19 am, Peter Saint-Andre wrote:
> All the feedback I've received is that developers hate the xmpp-e2e
> protocol. It doesn't seem very "Jabberish", it uses S/MIME, it requires
> the addition of a CPIM parser (of which none exist AFAIK), etc.
On top of this, it doesn't appear that xmpp-e2e can secure an <iq> stanza,
which I think could be useful (see below).
> What do you mean by "older e2e drafts"? Things like this?
> That was still limited to PGP, no?
Under 'Requirements', item 3 says that either PGP or S/MIME should be
> JEP-0116 is more in line with the Jabber Way, enables you to sign and/or
> encrypt the complete stanza, and enables you to use whatever keys you
> want (so could be used with X.509, PGP, RSA, etc.). It based on the
> concept of a "session" so you might think it is not appropriate for
> "one-shot" use (by which I take it you mean sending a single stanza);
Yes, secure session is absolutely needed also, and we need to pursue it.
However, I do think one-shot security is still useful alone, for three
reasons: encrypting of offline messages, signing of presence, and signing of
groupchat messages, all of which seem to have no solution otherwise (at least
none has been presented in over a year of such discussion). And we want both
PGP and S/MIME here.
Also, I think one-shot security of <iq> could allow us to leverage the feature
for use with session security. For instance, JEP-116 could be greatly
simplified by using 'jabber-e2e' to trade a session key instead of having its
own separate procedure. We can stack our JEPs this way.
More information about the Standards