[Standards-JIG] The Great Encryption Debate

Ian Paterson ian.paterson at clientside.co.uk
Fri Aug 12 16:27:42 UTC 2005


I agree with everything Justin (and Bob Gilson) said about key-JID
association. (If I'd read them first then perhaps my email before-last
would have been a little shorter ;)

Justin wrote:
> a number of clients have implemented JEP-0027

Almost nobody uses it though. We need something that is 100%-transparent
for users and defaults to "always on".


> I do plan to implement JEP-0116

:) :)

> object encryption is simpler to program, 
> and simpler to deploy, particularly for signing
> I additionally plan to implement RFC 3923
> However, I also find it annoying having two
> ways to do the same thing.

I'd *really* like to avoid the need for that too.

I made a few minor changes to the JEP. Now, if you've implemented
JEP-0116, then one-to-one object encryption and object signing are
trivial. See the notes about <terminate/> in Sections 6.1.5 and 6.2.4 of
version 0.6: http://www.clientside.co.uk/jeps/jep-0116/jep-0116.html

No CPIM grumbling necessary. :)

I'm interested in your feedback on using JEP-0116 for one-to-one object
signing.


> [what about] broadcast signed news items[?]

Two possible answers:

Short:  One-to-many is out of scope for JEP-0116.

Long:  Yes. It is inefficient to calculate a different signature (and DH
key) for every user. (Although even with traditional object signing
you'd always have to calculate a few signatures since the recipients
would typically support different public key association systems and
authorities.) This needs more thought.

- Ian




More information about the Standards mailing list