[Standards-JIG] UPDATED: JEP-0027 (Current Jabber OpenPGP Usa ge)

Jacek Konieczny jajcus at bnet.pl
Wed Mar 17 14:32:08 UTC 2004


On Wed, Mar 17, 2004 at 02:35:52AM -0800, Justin Karneges wrote:
> However, if one key in a keyring has a prefixed JID and another key does not, 
> should the client simply go with the prefixed key, or should it prompt the 
> user to choose between the two matches?
> 
> I think if most people don't use the prefix, then the attacker could prefix 
> his spoofed JID to gain priority and bypass any user prompting. 

User should be warned if untrusted key is used for signature
verification or encryption. If both keys are trusted one of them could
be prefered and choosen without asking the user. If the key to be used
is untrusted, then the user has to be asked about it anyway. 

Greets,
	Jacek



More information about the Standards mailing list