[JDEV] Security/Encryption Issues

[Thomas Muldowney]

I'll tackle both posts here.

First, regarding the security issues, these run super deep, and super tough
due to the distributed nature.  At this point there are two solutions.  First,
if you are only using C2S and not needing to use any of the S2S (.org to .com)
then there is SSL available.  Second, we strongly encourage client authors to
support GPG/PGP in their clients.  To help this along we have come up with a
simple <x/> extension to do this.  I will post this on jabber.org shortly.

We are working on trying to figure out some of the S2S issues, and hopefully
find some balance of a solution, but it's not easy.  I highly encourage some
conversation on this area on the posting i make to jabber.org.  I'll try and
get it going with my thoughts up there.

Next, for the presence issues there are two interesting points here.  First,
the server already allows you to send specialized presence to a particular 
user.  This would allow me to send my boss a certain presence, while my global
presence is something else.  This is achieved by sending a regular presence tag
with a to attribute to the user you wish to have specific presencd towards.
Next, you can also use the new mod_filter for changing many different things.
It is currently in cvs, and will probably go out with the 1.0.1 release (yes, 
you heard it here first) that will be going out hopefully tonight or tomorrow.
I'll try and get Keith to put up a jabber.org post about it.

If you have any comments or questions msg me JID:  temas at jabber.org

--temas

On Tue, Aug 08, 2000 at 01:02:51PM -0400, Andrew J. Lynn wrote:
> I agree with Michael and would like to add one other thing that is somewhat
> related.  It would be good, if there are going to be updated versions of the
> Jabber standards, to support per-subscription exposure levels.
> 
> What I mean by that is, if we are to take this a couple of years into the
> future, and I have an instant messaging system that knows presence information
> beyond available/idle/long-idle/dnd, for example
> on-the-phone/emailing/in-the-office-but-not-at-the-computer, there would be new
> privacy issues.  I might want my coworker who is working with me on a project to
> know I'm in a meeting with my boss, but other people outside the company to just
> see that I am not available for a videoconference.  Or I might want my fishing
> buddy to know that I am currently conducting extramarital relations with my
> 18-year-old babysitter, but certainly not my brother-in-law.  Yes, this is a bit
> beyond the current scope, but it is going to happen.
> 
> I guess this could be done in a transport, but it would be nice if there were,
> say, a field in the standard roster element for this, similar to the group
> element, and the server could send particular presence info to people with
> particular information in there.
> 
> -Andy
> 
> p.s. -- For an example of a messaging system with authentication and encryption,
> see gale (www.gale.org).  Also see Zephyr, which uses Kerberos authentication
> but does not encrypt.

Content-Description: Card for Andrew J. Lynn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20000808/a1efd82d/attachment-0002.pgp>