In the meantime: I just wrote Python bindings for GnuTLS OpenPGP support [1], patch is here: [2] Next step would be a Twisted endpoint.
[1] http://twistedmatrix.com/trac/ticket/6175#comment:6 [2] http://twistedmatrix.com/trac/attachment/ticket/6175/python-gnutls-1.2.4-gpg.diff On Wed, Apr 17, 2013 at 6:31 PM, Peter Saint-Andre <[email protected]> wrote: > On 4/17/13 10:29 AM, Daniele Ricci wrote: >> Hi list! >> I'm developing a messaging application based on XMPP [1], focusing on >> community, privacy and security. >> What I want to discuss here is I've decided to use OpenPGP keys to >> encrypt data between users. Also it would be optimal to use those keys >> to authenticate against servers too. >> >> I started by implementing a very simple (and unsafe) SASL mechanism, a >> simple challenge/response method (like SSHv1). But things are getting >> a little more complicated, and since this application is targeted >> mostly to mobile devices, authenticating in-band of an XML stream >> would be a huge waste of network traffic. A server-side working >> implementation based on Twisted can be found on xmppserver repository >> [2]. >> >> Before even considering a SASL mechanism, I bumped into RFC 6091 [3], >> namely "Using OpenPGP Keys for Transport Layer Security (TLS) >> Authentication". This protocol would save bandwidth but lacks of >> implementations (only GnuTLS implements this - and only the mainstream >> C version, so no bindings). >> >> Because Kontalk aims to target multiple platforms, this RFC will >> require many implementations to be written (e.g. Android would require >> - for example - a separate Bouncycastle implementation). >> On the other hand, a SASL mechanism requires an application level >> implementation (that is, it's already part of the XML stream, easier >> to implement - but no standard present yet). >> >> Another option would be put into a X.509 certificate the PGP key as a >> blob (quite a workaround eh?), but I prefer not to consider that :-) >> >> The question is: SASL or TLS? >> > As I mentioned on the Telepathy list, I recommend RFC 6091 + SASL EXTERNAL. > > Peter > -- Daniele
