[Standards-JIG] Re: UPDATED: JEP-0027 (Current Jabber OpenPGP Usa ge)

Joe Hildebrand JHildebrand at jabber.com
Thu Mar 18 20:07:42 UTC 2004


> > How can you trust the jabber:iq:time result? Mallory could have 
> > intercepted the time query result.
> 
> c2s encryption?  In any case, such a query is simply a hint.  
> The client won't actually use this value, it would just aid 
> those with screwy clocks.

But what if that hint is malicious.  The whole point of e2e is that you
don't trust the server.

You can't store things on the server, unless they are encrypted with your
private key.  You can't rely on the server to provide hints.  You can't rely
on the server to always respond the same way to the same request, as well.

So, for example, storing your public key in vcard probably isn't good
enough.  What if Mallory rooted your server, and had it respond with one
public key when you asked for yours (to check it), and a different one to
me?

-- 
Joe Hildebrand




More information about the Standards mailing list