[Standards] Any protocol to request encrypted connections?

Ian Paterson ian.paterson at clientside.co.uk
Mon Feb 5 21:43:21 UTC 2007


Matthias Wimmer wrote:
> Especially if I am not able to do e2e. E.g. because the destination's 
> server does not want to allow e2e encryption because it has to log all 
> exchanged messages, because the message is passing a gateway and we 
> already start to forget RFC 3923, or just because the client is 
> connecting using a web-based interface.

Yes, you're right. (although Web clients will do full-strength e2e)

The 'security' field in XEP-0155 allows the sender (or receiver) to 
specify that both clients must be securely connected to their servers. 
But something like XEP-0079 will be necessary for s2s... unless we 
specify in RFC3920bis that servers MUST use SASL-TLS for all s2s 
connections!

> With the web-based interface the user cannot do e2e encryption without 
> giving away his keys...

The client can either accept or generate a key pair and then 
symmetrically encrypt the private key with a hash of (one of) the user's 
password(s). (The server doesn't have the password because that is not 
necessary with SASL.) The encrypted private key is then stored with the 
user's private data on the server. Unfortunately the user still has to 
trust that her Web server hasn't been compromised - since she downloads 
her client from that server every time (using TLS).

- Ian




More information about the Standards mailing list