-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michal Vaner (Vorner) wrote:
>> In fact anyone wanting to implement encrypted communications in their >> clients should be implementing JEP-0116, and _not_ JEP-0027 - is >> backwards compatability with older clients a good enough reason to >> implement something that's tricky to set up and get working with >> contacts on your roster? > > In my opinion, it should be implemented both. Firstly, by use of GnuPG, it is > much simpler, secondly, many old client will still use gpg ant there is need > to communicate with them. And don't forget RFC 3923. ;-) > And, other problem is, JEP-116 is still experimental. Not much clients will > support it until it is a draft. True. I think we need some experimental implementations of JEP-0116 to see if it is feasible to implement or or too complicated for client developers. Another approach, which Justin Karneges has mentioned before and which I've chatted with him about, is to combine the best of JEP-0027 and RFC 3923 -- you could do OpenPGP or S/MIME depending on service discovery info (optionally auto-discovered via JEP-0115). The S/MIME stuff would be simplified (essentially, no CPIM) if the other party is a native XMPP entity (the CPIM stuff is there to function across XMPP and SIMPLE). Now, neither OpenPGP or S/MIME enable you to repudiate what you said, and if people find that important then they would need to do JEP-0116 (or something very much like it, such as Gaim's OTR plugin). So in part the differences here come down to requirements and philosophy. I'm not yet convinced that repudiability and perfect forward security are core requirements for an end-to-end encryption system, since both OpenPGP and S/MIME are better than nothing. But one thing that seems attractive about JEP-0116 is that it doesn't require end users to create OpenPGP keys or obtain X.509 certificates, both of which are hard for end users. Instead, it could use RSA keys generated by the user's client, thus shielding the user from key generation and management. Anything that makes security technologies easier to use seems good (as long as it's still safe). Peter - -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEDMNLNF1RSzyt3NURAncIAJ42tkSCkE5mm7ZSHKvdulWDLpj0owCfRJLq fPOP1DXvsjGd/5JnlDJoYA8= =ko0q -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME Cryptographic Signature
