[Standards-JIG] The Great Encryption Debate
justin-keyword-jabber.093179 at affinix.com
Mon Aug 15 18:29:38 UTC 2005
On Friday 12 August 2005 06:41 am, Ian Paterson wrote:
> 2. Methods for associating a key with a JID
> This involves extracting the raw public (RSA or DSA) key from the
> published data and verifying whether it belongs to a specified JID
> (either in-band or out-of-band). There will be as many methods of doing
> this as there are key formats and authorities/WoTs. Clients should
> maintain their own databases of trusted key fingerprints.
For X.509 and PGP, the keys themselves assert who they represent. So it is
just a matter of including the JID somewhere in the published key structure
(for X.509 we already have Section 5.1.1 of XMPP-Core).
For PGP, it might be enough to suggest something like I've done in my JEP
(Section 6 of http://delta.affinix.com/specs/jep-secure.html).
Unfortunately, it is not easily possible to get a JID into an X.509
certificate that a CA will sign, and most people don't have their JIDs in
their PGP key either, so we may need workarounds until that becomes more
commonplace (ie, manual selection of the key, which is what Psi does with
More information about the Standards