[Standards-JIG] RE: Encrypted sessions
ian.paterson at clientside.co.uk
Thu Jun 8 23:36:13 UTC 2006
> By separating the two issues of encrypted session (online
> communication) and encrypted offline messages, at least a
> compromised key on the "offline" side would not have effect
> on the "online" side.
AFAICT, the online protocol prevents any compromised offline key being
used (the online protocol forces Alice and Bob to produce a signature of
both DH keys together).
I decided to add a new "expiry time" to the Offline ESession Options to
reduce the window of vulnerability that Jean-Louis pointed out earlier.
> If we want to handle the case of secure offline storage, I'd
> rather have it handled in a separate JEP.
More information about the Standards