[Standards] Client certification: E2E
ian.paterson at clientside.co.uk
Fri Mar 30 01:34:22 UTC 2007
Fletcher, Boyd C. CIV US USJFCOM JFL J9935 wrote:
> What about using the w3.org's specs for xml encryption and digital signing?
> We have been using both very successfully for years over xmpp.
Well, those specs don't offer Perfect Forward Secrecy. So all the
messages you guys have been sending for years will be vulnerable to
being decrypted, until you securely destroy all copies of all your
long-lived private keys.
XMPP is a session-oriented protocol so it doesn't need to suffer such
vulnerabilities. Those w3.org specs and RFC 3923 are *only* suitable for
encrypting data that is stored (e.g. XEP-0136 and email).
More information about the Standards