[Standards-JIG] XMPP trust diameter

Peter Saint-Andre stpeter at jabber.org
Thu May 25 01:41:56 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean-Louis Seguineau wrote:
> I am not 'mixing' terms, Hal, just 'stating' what I have read and heard
> people saying ;) 
> 
> Thanks, it helps. You just confirmed some of the shortcomings associated
> with these statements. But it is bringing more questions.
> 
> I recall Peter using the fact an XMPP server was rewriting the 'from' JID as
> an argument against SIP in term of trusting the source of the message... In
> your opinion, are we saying this address rewriting increases trust? 

It helps, yes. It's harder to run a rogue server than to be a rogue
client, so rewriting the 'from' address raises the bar. Add in server
dialback and that makes it a lot harder to fake from addresses in XMPP
than in SMTP. Impossible to fake? No. But a lot harder (and hard enough
that the spammers will use some other network). Remember, we don't need
to be the fastest antelope, just an antelope that is fast enough so that
someone else will be eaten.

> And if
> it does, are we saying this trust becomes invalid outside one's own home
> server?

Why would it become invalid?

> More generally, you seem to refer to trust as only being established between
> persons. I believe this is a bit restrictive. In you opinion, can we
> envisage a possibility to increase the trust level if we introduce a way for
> an XMPP entity to assert that the source JID of a stanza has been properly
> authenticated? Or would you say we always need to perform this verification
> against a particular context's asserting party ?

I think we can make the whole network more trustworthy through the
ubiquitous use of TLS for server to server, etc. I'm working on a
proposal about that now...

/psa


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdQtjNF1RSzyt3NURAsH7AKCzBRL3I9+Ue7ZwKSwzLlIDSiLC+gCcC354
GEgQeDewaxXTC7crjxTaAag=
=dDO3
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060524/4bbbd157/attachment.bin>


More information about the Standards mailing list