[Standards] Any protocol to request encrypted connections?
ian.paterson at clientside.co.uk
Mon Feb 5 19:04:05 UTC 2007
Matthias Wimmer wrote:
>> Well, and even when we verify the identity of the destination server,
>> we don't verify that the destination server is properly routing the
>> stanza to the intended recipient. But I'd think that encrypted
>> sessions would help here.
> I don't want to address the usecases of e2e by my question. One of the
> use-cases I have in mind is more light-weight. I thought, that you
> might e.g. operate a company server, that can be accessed from the
> public internet as well. But some of the data you send to your clients
> should only be sent out, if the connection to the client is protected.
> It would be helpful if the sender of such information/events could
> just pass an indication, that this data should only be forwarded if
> the destination is verified.
Is it sufficient for all communications to be encrypted and for the
receiver's server to verify that the receiver is who the receiver's
server thinks the receiver is? If so, then that is accomplished simply
by verifying that only encrypted, authenticated s2s will be used, and
that the receiver logged in using an encrypted session and some form of
If you are saying that isn't enough, because you want proof of
identity... then which identity? You're going to have to send the
identity of the receiver to the receiver's server. (Otherwise how do you
know that your idea of the identity of the receiver is the same as
receiver's server's idea.) You're also going to have to give your server
the identity of the receiver's server... might there be other hops you
don't know about?
I know you're looking for something light-weight, but IMHO there isn't a
simple solution, and you're totally dependant on none of the
intermediaries having been compromised.
Once clients support e2e all these issues will be resolved.
More information about the Standards