[Standards] Client certification: E2E

Ian Paterson ian.paterson at clientside.co.uk
Fri Mar 30 01:34:22 UTC 2007


Fletcher, Boyd C. CIV US USJFCOM JFL J9935 wrote:
> What about using the w3.org's specs for xml encryption and digital signing?
>
> We have been using both very successfully for years over xmpp.
>   

Well, those specs don't offer Perfect Forward Secrecy. So all the 
messages you guys have been sending for years will be vulnerable to 
being decrypted, until you securely destroy all copies of all your 
long-lived private keys.

XMPP is a session-oriented protocol so it doesn't need to suffer such 
vulnerabilities. Those w3.org specs and RFC 3923 are *only* suitable for 
encrypting data that is stored (e.g. XEP-0136 and email).

- Ian




More information about the Standards mailing list