[JDEV] PGP / Public Key retrieval

Tim McCune timm at channelpoint.com
Mon Oct 9 15:22:09 CDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was going to suggest the same thing.  The upside is that it lets
users use their preexisting keys if they want.  It also gives them
more direct control over security in general.  The downside is that
it just introduces complexity since you're supporting 2 different
ways of doing the same thing.  It might be a good idea to support the
use of vCard as the default, and then add key server communication as
an "option" later on.  I know that there's a lot of other code I'd
like to add to Imjay before I spend time communicating with key
servers.  As for the overhead of storing the key in the vCard, the
keys that Imjay stores there are typically about 400 bytes, and
that's with the BASE64 encoding, so I've got no real problem with
that kind of overhead.

- -----Original Message-----
From: Erisson [mailto:erisson at mail.kaosklan.net]
Sent: Monday, October 09, 2000 2:05 PM
To: jdev at jabber.org
Cc: jabbernaut-devel at lists.sourceforge.net
Subject: Re: [JDEV] PGP / Public Key retrieval


Good point. The cynic in me says that the user who doesn't want to 
bother learning how the system works is fooling themselves if they
think it's making it more secure.

Perhaps default to storing a key in the vCard, but allow a
knowledgable
user to switch to storing the key id in the vCard, and let the client
fetch it from a keyserver? I'd hate to see people having to fetch
that
60k key every time they forgot that user's telephone extension. 

Comments, problems with that aproach?
Peter

On Mon, Oct 09, 2000 at 01:33:20PM -0600, Tim McCune wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Importing the key from an external key server is nice, but it does
> require the user to already have a key there, unless your Jabber
> client is going to check to see if the user has a key there, and if
> he doesn't, it will register it for him automatically.  I have
> found in the past that key management is something that most users
> don't understand and don't really want to understand.  That's why I
> wanted to ensure that it was all very transparent in Imjay.  In
> earlier
> versions, it wasn't, and you wouldn't believe all of the
> complaining that went on in my early user tests because of that.
> 
> - -----Original Message-----
> From: Erisson [mailto:erisson at mail.kaosklan.net]
>  
> KIM also searches for JID based on email. Not sure if it'll import
> from
> a key server or not. But it seems to me that this would be the best
> way to make use of the infrastructure that already exists. Another
> possibility, which is a bit of a hybrid, is to store the key ID, or
> maybe fingerprint in the vCard as a hint, and fetch it from a key
> server to actually get it. The reason I throw this out there is
> that sometimes e-mail and jabber ids don't match, and adding a new
> userid to a preexisting key isn't necessarily the best fix, but
> storing the key 
> in the vCard could get expensive when, like one of the guys who
> signed 
> my key, your key is ~60k.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use
> <http://www.pgp.com>  
> 
> iQA/AwUBOeIcxtUPOr8a7vy5EQJoPQCdHmfIaj7aZJeG/pseKjScS+po4twAnAzJ
> gV1+wTGKRpGAKM9jZG/+C8ei
> =Al7N
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOeIoNtUPOr8a7vy5EQIR6QCggLLHgZMXrbQu1LNy0eZhtEiGj6EAoMu8
g4x4qRg4lZgfSCYGuJVL62Vl
=0Cm8
-----END PGP SIGNATURE-----




More information about the JDev mailing list