> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dirk Meyer > Sent: Wednesday, August 20, 2008 11:17 AM > To: XMPP Security > Subject: Re: [Security] TLS Certificates Verification > > Justin Karneges wrote: > >... > > It should be optional. You can put your key on an USB stick or upload > to the XMPP encrypted. That sounds like a very good idea to me. Adding > very strong encryption here the user only has to remember the > password. If he/she can not do that you are our of luck. But if that > happens it is not that bad, you "only" have to re-key with all your > friends again (and tell them that you are lazy and lost your key).
Great idea Dirk!!! I think the client MUST guide the user through installing the key on a thumbdrive. However, the wizard MUST NOT require the user to put the key on a thumbdrive. I usually lose my thumbdrive once every two weeks (_dime a dozen_), I would obviously take care of my XMPP one, but that means at times I don't have one lying around to just install a new key on. I know a couple of people who don't even know what a thumbdrive is (they also use gopher). > > > Extra points if there'd be a way to authenticate to your XMPP > > account and retrieve your private key with a single password, > > without the XMPP server being able to decrypt the private key. > > The XMPP password and the key password should be something completly > different. > > > Dirk > > -- > As long as there are ill-defined goals, bizarre bugs, and unrealistic > schedules, there will be Real Programmers willing to jump in and Solve > The Problem, saving the documentation for later.
