El dom, 05-03-2006 a las 14:38 +0200, Norman Rasmussen escribió: > Have you read 'JEP-0116: Encrypted Sessions' > (http://www.jabber.org/jeps/jep-0116.html) > > JEP-0027 is only a Historical JEP, so it's not a standards-track spec, > JEP-0116 is a standards-track spec.
True, the thing is that JEP-0116 is still experimental, and to be honest the reason to add encryption is to learn something, it may not be useful even, this : just for fun (although obviobsly that will result implementing the JEP-0166 before or later). Apart from that i think there are still out there a lot of clients using JEP-0027 and not JEP-0116... Anyway (thanks for the advices of course :-) and reconsidering the key exchange (which has raise my paranoia level), should y use GnuPG (gpg and others...) ? The thing is that it is suppossed that GnuPG may be used as a kind of "engine" for larger applications. However i do not like the idea of have "dependencies" on my software, this is i would prefer to avoid forcing the user to have GnuPG installed... (actually the whole client is done in Java, so there is a BIG dependence already). Any ideas? Using GnuPG to handle with the keys looks easy, but it is adding dependencies, in the other hand i have been looking at the Bouncy Castle library (www.bouncycastle.org) which is able to habndle with the keys also, but i did not find a way to retrieve the keys from the OpenPGP server (or to store them). Finally I would like to say Thanks again to all the people that answer this thread (i started it), you are being VERY helpful (after all i'm a newbie in the world of Jabber development...) > > On 3/5/06, Juan Antonio Gómez Moriano <[EMAIL PROTECTED]> wrote: > > Thanks to all for the answer/suggestions... What i have think now is to > > automatize the process of exchanging keys using OpenPGP key servers, > > after all they are suppossed to be synchronized, aren't they? > yea, I've considered adding a button to Psi to do this many times. > > > Apart from that i have been thinking on reporting a comment to the > > jabber people about this... I have developed a simple solution which > > basically stores the public in the jabber server in a place accessible > > for everyone but that only the user can write, i've been testing it and > > looks nice, should i make a more formal document and report it to > > jabber.org? > Some people store their public keys in their vCards, but as Michal > pointed out any exchange of pgp/gpg keys in-band will be insecure. > (e.g. using the same tcp connection). The keyservers are the 'right' > place to store and get this information. If you want to do it > privately, then set up your own private keyserver. > > -- > - Norman Rasmussen > - Email: [EMAIL PROTECTED] > - Home page: http://norman.rasmussen.co.za/
