[Standards-JIG] RE: Encrypted sessions
jean-louis.seguineau at laposte.net
Thu Jun 8 21:51:25 UTC 2006
Kevin, no doubt there is no perfect answer. That said all answers to
"offline messages" encryption require holding a key in some store (on a
workstation, smart card, etc...). This is a known limitation, but it has
been well studied.
By separating the two issues of encrypted session (online communication) and
encrypted offline messages, at least a compromised key on the "offline" side
would not have effect on the "online" side.
If we want to handle the case of secure offline storage, I'd rather have it
handled in a separate JEP.
Date: Thu, 8 Jun 2006 18:09:47 +0100
From: Kevin Smith <kevin at kismith.co.uk>
Subject: Re: [Standards-JIG] RE: Encrypted sessions
To: Jabber protocol discussion list <standards-jig at jabber.org>
Message-ID: <2B43811B-A8A1-430D-A05F-9C6DA5D7D754 at kismith.co.uk>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
On 8 Jun 2006, at 17:19, Peter Saint-Andre wrote:
> Some people wanted support for encryption of offline
> messages, others (including DizzyD and I as authors of the original
> spec) never thought it was important.
I don't feel particularly passionately about the issue but it does
seem a shame to me to not be able to communicate securely offline.
Some people would like to see XMPP replace email and that might be
somewhat hard if things only work when both participants are online ;)
With that said, I do appreciate it is not a good thing to store keys
if it can be avoided. especially if they can compromise previous, as
well as future, conversations.
More information about the Standards