[Standards-JIG] The Great Encryption Debate

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Mon Aug 15 18:29:38 UTC 2005


On Friday 12 August 2005 06:41 am, Ian Paterson wrote:
> 2. Methods for associating a key with a JID
>
> This involves extracting the raw public (RSA or DSA) key from the
> published data and verifying whether it belongs to a specified JID
> (either in-band or out-of-band). There will be as many methods of doing
> this as there are key formats and authorities/WoTs. Clients should
> maintain their own databases of trusted key fingerprints.

For X.509 and PGP, the keys themselves assert who they represent.  So it is 
just a matter of including the JID somewhere in the published key structure 
(for X.509 we already have Section 5.1.1 of XMPP-Core).

For PGP, it might be enough to suggest something like I've done in my JEP 
(Section 6 of http://delta.affinix.com/specs/jep-secure.html).

Unfortunately, it is not easily possible to get a JID into an X.509 
certificate that a CA will sign, and most people don't have their JIDs in 
their PGP key either, so we may need workarounds until that becomes more 
commonplace (ie, manual selection of the key, which is what Psi does with 
PGP).

-Justin



More information about the Standards mailing list