[Standards-JIG] RE: Encrypted sessions

Jean-Louis Seguineau jean-louis.seguineau at laposte.net
Thu Jun 8 21:51:25 UTC 2006


Kevin, no doubt there is no perfect answer. That said all answers to
"offline messages" encryption require holding a key in some store (on a
workstation, smart card, etc...). This is a known limitation, but it has
been well studied. 
By separating the two issues of encrypted session (online communication) and
encrypted offline messages, at least a compromised key on the "offline" side
would not have effect on the "online" side.

If we want to handle the case of secure offline storage, I'd rather have it
handled in a separate JEP. 

Jean-Louis    

-----Original Message-----
Message: 1
Date: Thu, 8 Jun 2006 18:09:47 +0100
From: Kevin Smith <kevin at kismith.co.uk>
Subject: Re: [Standards-JIG] RE: Encrypted sessions
To: Jabber protocol discussion list <standards-jig at jabber.org>
Message-ID: <2B43811B-A8A1-430D-A05F-9C6DA5D7D754 at kismith.co.uk>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

On 8 Jun 2006, at 17:19, Peter Saint-Andre wrote:
> Some people wanted support for encryption of offline
> messages, others (including DizzyD and I as authors of the original
> spec) never thought it was important.

I don't feel particularly passionately about the issue but it does  
seem a shame to me to not be able to communicate securely offline.  
Some people would like to see XMPP replace email and that might be  
somewhat hard if things only work when both participants are online ;)

With that said, I do appreciate it is not a good thing to store keys  
if it can be avoided. especially if  they can compromise previous, as  
well as future, conversations.

/K





More information about the Standards mailing list