[Standards-JIG] RE: Encrypted sessions

Ian Paterson ian.paterson at clientside.co.uk
Thu Jun 8 23:36:13 UTC 2006


> By separating the two issues of encrypted session (online 
> communication) and encrypted offline messages, at least a 
> compromised key on the "offline" side would not have effect 
> on the "online" side.

AFAICT, the online protocol prevents any compromised offline key being
used (the online protocol forces Alice and Bob to produce a signature of
both DH keys together).

I decided to add a new "expiry time" to the Offline ESession Options to
reduce the window of vulnerability that Jean-Louis pointed out earlier.

> If we want to handle the case of secure offline storage, I'd 
> rather have it handled in a separate JEP. 

Yes.

- Ian




More information about the Standards mailing list