[Standards-JIG] UPDATED: JEP-0027 (Current Jabber OpenPGP Usa ge)
justin-keyword-jabber.093179 at affinix.com
Wed Mar 17 10:35:52 UTC 2004
On Tuesday 16 March 2004 12:02 am, Jacek Konieczny wrote:
> On Mon, Mar 15, 2004 at 07:14:58PM -0800, Justin Karneges wrote:
> > This means that we could store bare JIDs in RFC 882 form, such as:
> > Justin Karneges <justin at andbit.net>
> > or by creating our own format, such as:
> > im:justin at andbit.net
> > I prefer the former, because it extends the notion of the "user at host.com"
> > format as a non-protocol-specific universal ID, which I feel is more in
> > line with PGP's purpose. However, I remember an argument last year
> > advocating the latter, to cover domain configurations that provision the
> > same username to two different people depending on service/protocol. Do
> > we really need to go there?
> IMHO booth should be possible. But I would use prefix "jid:", "jabber:"
> or "xmpp:".
> If no of "prefixed" key ids is known, then the key with matching email
> is to be used as the 'universal' key.
However, if one key in a keyring has a prefixed JID and another key does not,
should the client simply go with the prefixed key, or should it prompt the
user to choose between the two matches?
I think if most people don't use the prefix, then the attacker could prefix
his spoofed JID to gain priority and bypass any user prompting. Thus, it
would seem the safest client handling would be to prompt regardless of
whether or not a prefix is present, which would then defeat the purpose of
even having such a prefix.
More information about the Standards