[Standards-JIG] The Great Encryption Debate
dwaite at gmail.com
Tue Aug 2 23:01:14 UTC 2005
> 3) presence signing. JEP-0116 does not cover this topic. What do others
> think about it? This might be something that only object security can
Presence signing is both non-targeted and extremely sensitive to
replay, so it cannot be used to verify the authenticity of a user
without further challenging by particular peers. What are the reasons
seen for wanting to sign presence?
Also, how would xml be signed? I evaluated traditional xml
canonicalization with xml-security a while back, and came to the
conclusion that servers were not conformant enough to xml for xmpp to
be a safe/realistic transport of signed data, unless that data was
under some text encoding like base64.
> 4) groupchat. I disagree with section 4.2.1. I think we should find a way
> to secure groupchat right away, especially with something session-based.
It is hard. Is the server the channel is on considered a trusted
intermediary, or do you negotiate a key between peers? Does the key
expire, if so who generates a new key?
> 5) public key transport. We really should move this to a separate JEP, I
> think we'll be able to think more clearly, especially since it is part of the
> session vs. object security overlap.
Agreed. PKI isn't a footnote :)
More information about the Standards