[Standards-JIG] The Great Encryption Debate

Ian Paterson ian.paterson at clientside.co.uk
Fri Aug 12 17:28:51 UTC 2005


We seem to have a consensus (including Peter) that:
"It is not possible or desirable to obtain consensus on a single method
of verifying that a public key (RSA or DSA) is associated with a JID".

In the interests of coming to another consensus, here is another
question: Does that consensus mean we can rule out both RFC 3923
(S/MIME) and JEP-0027 (PGP) since they are tied to the X.509 (CA) and
PGP (WoT) methods respectively?

Of course I am not suggesting that we don't support X.509 certificates
or PGP public keys. These are essential *optional* components. I'm just
suggesting that we can't rely on RFC 3923 or JEP-0027 for
encryption/signing etc., because they are not flexible enough.

[I'm asking this even before we consider that S/MIME and PGP are poorly
adapted to the needs of IM, and their reliance on encryption with
long-term keys means that any future compromise of a key would be
catastrophic.]

- Ian

P.S. I am also not suggesting that we have consensus on JEP-0116.




More information about the Standards mailing list