[Standards-JIG] UPDATED: JEP-0027 (Current Jabber OpenPGP Usa ge)

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Thu Mar 18 09:45:49 UTC 2004


On Thursday 18 March 2004 12:52 am, Matthias Wimmer wrote:
> Sure the server can DoS - but if we care about replay attacks at all,
> than we should not allow the server to make replay attacks possible
> (maybe even unintentionally by restoring a backup of the user's
> account).

Right, although this is unfortunately possible with both types of ID storage.  
For sender ID storage, the server simply deletes the IDs.  For receiver ID 
storage, the server replays a backup.  I pondered about this nearly all day 
yesterday, and concluded that it is impossible to securely save any replay 
cache data on the server (unless the server is trusted).

However, I don't think this is a big deal.  If you change locations, simply 
carry your important data with you.  Ideally you'd have all of your important 
files (keyring, replay cache, etc) in a nice transferrable bundle.

One idea I have in mind is to come up with a non-client-specific file format 
for the xmpp replay cache, to allow for easy transferring/sharing between 
clients and locations.

-Justin



More information about the Standards mailing list