[Standards-JIG] RE: Encrypted sessions
stpeter at jabber.org
Thu Jun 8 16:19:34 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Ian Paterson wrote:
> Jean-Louis wrote:
>> The JEP-116 without "offline encryption"
>> will be even more secure, because there won't be any inter
>> session key material left to be compromised. This is what
>> real Perfect Forward Secrecy is about.
> Since the alternative is no encryption of offline messages, it could
> hardly be "even more secure". ;-)
> Offline messages would still benefit from Perfect Forward Secrecy,
> although PFS would not start until the user came online.
>> The added complexity comes in the management of crypto material
>> sessions (check, remove, add, etc...) just for the sake of
>> "offline encryption". Without this part, JEP-116
>> implementation is straightforward. Is the added complexity
>> worth the effort?
> IMHO yes, absolutely (see above).
> Note that offline encryption is already optional (MAY), so implementors
> can decide for themselves.
> If it makes it easier for implementors I suppose we could consider
> spliting the document into two JEPs?
> After all, online-only encryption is better than no encryption at all.
We've had many discussions about this, starting back when JEP-0116 was
first published. Some people wanted support for encryption of offline
messages, others (including DizzyD and I as authors of the original
spec) never thought it was important. If the person you want to chat
with is offline, you have many options:
1. Wait until the person is online (presence rocks).
2. Send one offline message saying "ping me when you're online".
3. Send encrypted email saying "let's set up a time to chat".
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards