I'm a fan of using OpenPGP also, but you're right, the way it is done in JEP-27 is totally overkill. We need a way to use OpenPGP to derive a symmetric key, and then use that key for the actual messages.
I think (and hope) this is what JEP-102 is for. As far as I know, it details a way to use a symmetric key for packet security, and the initial symmetric key exchange process can be done either with OpenPGP, X509, or on-the-fly RSA keys. I think this should make everyone happy. However, I admit I have not fully comprehended the JEP yet. -Justin On Wednesday 30 July 2003 02:19 am, David Banes wrote: > I'll be implementing the OpenPGP JEP in our new client as it's easy'ish > to do. But I will need to make some changes to handle real time > symmetric key exchange as using assymmetric for encryption is just not > viable. therefore I'll have to a) except my client won't do OpenPGP with > any other client, or b) work out how to update the existing JEP, which > is probably not a good idea, or is it? > > Basically, I'm mirroring the functionality I have already tested and > know works in our older (non-Jabber) client until I can see a clear way > ahead. this gives us end to end crypto, including digital signatures. > > David. > > In <[EMAIL PROTECTED]> Peter Saint-Andre wrote: > > At the recent IETF meeting, I was asked to follow up with the Jabber > > developer community about obstacles (or resistance) to implementing > > certain aspects of the XMPP specs (<http://www.jabber.org/ietf/>). The > > IETF folks perceive the presence of an active developer community as a > > Good Thing [tm], so I think they are interested in how likely it is > > that the current developer community will implement the specs as > > written. > > > > The main topics mentioned to me relate to security, specifically SASL > > for authentication, TLS for channel encryption, and CPIM + S/MIME for > > end-to-end encryption. Do people think they will be able to integrate > > existing libraries for these protocols into their applications (or > > write their own support, as Rob Norris recently did for SASL in > > jabberd2)? How likely is it that existing clients will implement draft- > > ietf-xmpp-e2e, which uses CPIM and S/MIME for end-to-end encryption? > > > > From discussions so far, my sense is that SASL and TLS support will be > > added once it's in the jabberd server, but that client developers are > > fairly resistant to adding support for the end-to-end encryption spec > > given the need to parse CPIM formats (no existing libraries as far as > > I know) and support S/MIME (for which there are libraries, although > > the use of S/MIME is not very "Jabberish"). > > > > Feel free to reply on or off list. > > > > Thanks! > > > > Peter > > > > P.S. Yes, I owe the community an informational document that clearly > > defines the differences between XMPP and Jabber for things like > > authentication and session initiation. I will write that document > > by the middle of August. > > _______________________________________________ > jdev mailing list > [EMAIL PROTECTED] > http://mailman.jabber.org/listinfo/jdev _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
