[Standards] OpenPGP and XEP-0027

Goffi goffi at goffi.org
Fri Jul 31 08:40:30 UTC 2015

On 31/07/2015 10:27, Daniele Ricci wrote:
> Hello Goffi,
> XEP-0027 has serious security concerns, especially regarding reply
> attacks and key verification (you can read those in the "Security
> considerations" paragraph of the XEP). It's true that a real
> replacement hasn't been drafted yet (there are some drafts, but
> nothing really definitive or practical to use).
> In my project I use a modified version of XEP-0027, using XEP-0189 for
> key management (supervised by the server). I took an example from an
> e2e RFC draft (I really can't remember the number now, sorry), which
> used Message/CPIM to enforce message metadata inside the encrypted
> content. That's a bit more secure than plain XEP-0027, still there are
> many other attack vectors that can be used. I'll probably draft a XEP
> one day.
> As for making XEP-0027 obsolete, that XEP is just informative: it's
> the description of a protocol that was never standardized and as I
> said it had security issues from the beginning. But at the time,
> security was a different thing ;-)

OK, I understand. That means that OpenPGP use with XMPP is not discarded 
and we just need a proper and more secure XEP. I would be really 
interested if you publish a protoXEP one day. Thanks for your answer.


More information about the Standards mailing list