[Standards-JIG] UPDATED: JEP-0027 (Current Jabber OpenPGP Usa ge)

Joe Hildebrand JHildebrand at jabber.com
Mon Mar 15 20:10:37 UTC 2004


If we're going to do one-shot e2e message encryption, it MUST prevent replay
attacks, which JEP 27 does not.

-- 
Joe Hildebrand

 

> -----Original Message-----
> From: Justin Karneges 
> [mailto:justin-keyword-jabber.093179 at affinix.com] 
> Sent: Wednesday, March 10, 2004 11:09 AM
> To: Jabber protocol discussion list
> Subject: Re: [Standards-JIG] UPDATED: JEP-0027 (Current 
> Jabber OpenPGP Usage)
> 
> On Wednesday 10 March 2004 8:19 am, Peter Saint-Andre wrote:
> > All the feedback I've received is that developers hate the xmpp-e2e 
> > protocol. It doesn't seem very "Jabberish", it uses S/MIME, it 
> > requires the addition of a CPIM parser (of which none exist 
> AFAIK), etc.
> 
> On top of this, it doesn't appear that xmpp-e2e can secure an 
> <iq> stanza, which I think could be useful (see below).
> 
> > What do you mean by "older e2e drafts"? Things like this?
> >
> > http://www.jabber.org/ietf/attic/draft-ietf-xmpp-e2e-02.html
> >
> > That was still limited to PGP, no?
> 
> Under 'Requirements', item 3 says that either PGP or S/MIME 
> should be possible.
> 
> > JEP-0116 is more in line with the Jabber Way, enables you to sign 
> > and/or encrypt the complete stanza, and enables you to use whatever 
> > keys you want (so could be used with X.509, PGP, RSA, 
> etc.). It based 
> > on the concept of a "session" so you might think it is not 
> appropriate 
> > for "one-shot" use (by which I take it you mean sending a single 
> > stanza);
> 
> Yes, secure session is absolutely needed also, and we need to 
> pursue it.
> 
> However, I do think one-shot security is still useful alone, for three
> reasons:  encrypting of offline messages, signing of 
> presence, and signing of groupchat messages, all of which 
> seem to have no solution otherwise (at least none has been 
> presented in over a year of such discussion).  And we want 
> both PGP and S/MIME here.
> 
> Also, I think one-shot security of <iq> could allow us to 
> leverage the feature for use with session security.  For 
> instance, JEP-116 could be greatly simplified by using 
> 'jabber-e2e' to trade a session key instead of having its own 
> separate procedure.  We can stack our JEPs this way.
> 
> -Justin
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> https://jabberstudio.org/mailman/listinfo/standards-jig
> 



More information about the Standards mailing list