[Standards] end to end encryption vs. usability and feature
stpeter at jabber.org
Tue Feb 27 23:37:59 UTC 2007
Olivier Goffart wrote:
> Le mardi 27 février 2007, Peter Saint-Andre a écrit :
>> Our protocol does not use the server to share server keys. Please read
>> the specs before you comment.
> Which protocol ?
> At least XEP-0189 uses the server since all keys are sent with <iq/> that are
> routed by the server, so the server is free to modify them.
Yes, that is a possible attack against the public (not private!) key
storage method. The spec is currently in last call so feel free to
review it and provide suggested text or protocol changes. By the way,
XEP-0189 is used only for encrypting offline messages, which is not the
main use case here (see XEP-0200 and XEP-0116 for information about
> And this is the same with XEP-0116 (but with <messages/>)
Sure, any given server can modify any given stanza. But you'd figure
that out pretty quickly in OTR since it ensures integrity. At least this
way you can know that the server is tampering with your stanzas.
XMPP Standards Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards