[JDEV] More SSL talk...

[Joshua Kramer]

Hello all...

I've been reading the list archives on using SSL for authentication and
encryption, and I wanted to throw in my two bits:

I would like to modify a Jabber client so that its client certificate
resides on a smart card.  Using this method, the client would not be able
to authenticate unless the card was in place.  I'm currently looking at
OpenCard and JavaCard for the Java client, and a version of PC/SC to use
with the Linux clients (since I'm primarily a Linux developer).

Perhaps we could modify a client to have an option (on a per-conversation
or per-user basis) to require an SSL encrypted and/or authenticated
session between any intermediate servers.  If I'm talking with my buddy
Joe about the ballgame tonight, I might not care; but if I'm talking to a
client, I would care.

Perhaps we could modify the protocol to use regular 509 e-mail
signatures... that is, I could e-mail Joe my public key, the same one I
got from Thawte for Netscape e-mail; my client would send a digital
signature (generated by my smartcard), and Joe could verify it was "really
me".  This could also be used as a server-authentication process.  Again,
we could set an option requiring (or not) strict authentication.

Another nifty benefit to this is ubiquity; I could be Jabbering away from
my PDA, laptop, or work PC; if my key was in place, the people on the
other end would know it's me.

How much time would something like this take to implement?  I wanted to
concentrate primarily on the smartcard interface to the clients...

----
This message sent by Josh from Capital University!
The shortest distance between two points is a hilly, curvy road...
----