[Standards-JIG] Re: The Great Encryption Debate

David Chisnall theraven at sucs.org
Tue Aug 9 15:47:25 UTC 2005


On 9 Aug 2005, at 16:37, Justin Karneges wrote:

> The trouble I always run into when trying to come up with  
> effortless security
> is the issue of private keys.  No matter what we do, the user will  
> end up
> with a private key (among other possible things, such as trust  
> signatures)
> which will need to be maintained somehow.  The largest problem is  
> that the
> user won't have any security if he attempts to login from another  
> machine.
> Another problem is that this private data is at risk if the user  
> does not
> know he should protect it (or does not know that he even has it!).

The mechanism I would suggest would be for a private key to be stored  
on the server, symmetrically encrypted.  When using a different  
machine, the user would enter their normal Jabber password (for the  
server) and their pass-phrase for encryption.  The (encrypted)  
private key would then be downloaded and decrypted on the client.   
Not quite seamless, but it is relatively easy to use.  The only  
problem with this is that it is vulnerable to an off-line attack if  
the server is compromised.  Of course the ideal solution would be for  
everyone to use a USB cryptography device, but that's not entirely  
feasible...



More information about the Standards mailing list