Hello Goffi, XEP-0027 has serious security concerns, especially regarding reply attacks and key verification (you can read those in the "Security considerations" paragraph of the XEP). It's true that a real replacement hasn't been drafted yet (there are some drafts, but nothing really definitive or practical to use). In my project I use a modified version of XEP-0027, using XEP-0189 for key management (supervised by the server). I took an example from an e2e RFC draft (I really can't remember the number now, sorry), which used Message/CPIM to enforce message metadata inside the encrypted content. That's a bit more secure than plain XEP-0027, still there are many other attack vectors that can be used. I'll probably draft a XEP one day.
As for making XEP-0027 obsolete, that XEP is just informative: it's the description of a protocol that was never standardized and as I said it had security issues from the beginning. But at the time, security was a different thing ;-) On Fri, Jul 31, 2015 at 10:16 AM, Goffi <[email protected]> wrote: > G'day, > > I have a few questions about OpenPGP. XEP-0027 has been obsoleted by council > on 26/03/2014, but I can't see no explanation. > > OpenPGP is not the best for instant messaging (and OTR is the de facto > standard), but still it's interesting for normal messages (e.g. with an SMTP > gateway), and signatures, and offline messages, and probably other use > cases. > In addition, it would be nice to have a way to link the public key. > > So why OpenPGP has been obsoleted ? Is is still possible to see it coming > back throught eventually a new more proper XEP ? I don't mean use it as the > main e2e encryption model, but being able to use it with gateways or to > diffuse the public key seems important to me. > > Thanks > Goffi -- Daniele
