[JDEV] Many Messaging protocol. (security)

Jeremie jeremie at jabber.org
Wed Jul 28 12:45:20 CDT 1999


To answer your(and others) concerns about security and Jabber:

Because security and encryption are very important to many people, I'm
planning on creating a special team just do discuss these issues and come
up with either add in modules for Jabber, reccomendations for
clients(including libraries, etc), or any protocol extensions/etc that
might be needed to enhance security via Jabber or create secure messaging
between Jabber users.

Give me till early next week to get jabber.org moved and the mailing lists
set up for this team, and then we can bring up some of these issues again
and discuss them in depth.

Jer


On Tue, 27 Jul 1999, Thomas D. Charron wrote:

> On Tue, 27 Jul 1999 21:50:53   Yoni Elhanani wrote:
> >"Thomas D. Charron" wrote:
> 
> >1. Encryption
> >The ability to send encrypted data so it cannot be decrypted. (duh)
> 
>   Primary reasoning being the export restrictions..  No, raw packets would not be encrypted, merely the data WITHIN those packets..
> 
> >2. Friends List authorization.
> >Only allow certain people to know if I am online.
> >VERY IMPORTANT, as today, anyone can add me to his "contact list"
> >without my permission,
> >and know when i am online, offline, my IP, etc.
> >This is done with a certificate, which (generally) is the public key of
> >the reciever, signed by the issuer.
> 
>   Already done in the base jabber system..  This information is NOT presented unless you are both on each others lists..
> 
> >3. Personal data
> >Data such as my home phone number will be availible to people with the
> >above certificate.
> 
>   Again, already complete.  The server side has 'security settings' for personally stored data on the server, aka, who can access what data..
> 
> >4. Session key.
> >Since the entire data will be encrypted with a session key,
> >it is assumed that the person sending the data is the same one that have
> >authorized before,
> >since he is the only other person who knows the session key.
> >this can save time on slow machines.
> 
>   This is where we would have to extend our current digisig module to actually encrypt the message text, vs just signing it.
> 
>   As far as I can tell, the only place we seem to part company is the level of encrypting EVERYTHING that goes thru..  Some things we simply cannot encrypt, since we are building a modular system that can communicate with other systems as well as ours.  We could not really have encryption happen for the entire proccess for a converation between a jabber user and an AIM or ICQ user.
> 
> 
> >if i want to tell people on the jabber list about pump,
> >I'll have to  send them my postscript file (or a tex file made by LyX,
> >which makes it messy).
> >So it would be better if i can link to it and just put it on an FTP
> >site.
> >Problem is i have nowhere to put it.... :-(
> 
>   I can throw it someplace tonight that they can link to, and let you know..
> 
> >If you can either
> >1. put it somewhere with public access
> >2. Tell me it's ok to send large postscript files to a mailing list
> >I'll be happy.
> 
> ---
> Thomas Charron
> 
> 
> 
> 
> --== Sent via Deja.com http://www.deja.com/ ==--
> Share what you know. Learn what you don't.
> 




More information about the JDev mailing list