[JDEV] Security & the Java Jabber server

Al Sutton al at alsutton.com
Sun Jul 1 13:37:44 CDT 2001 

My primary focus for developing the Java Jabber server is ease of
installation & configuration. I've seen numerous requests about problems in
jabberd.xml so I'm trying to make the system require the minimum level of
detail in a configuration file (possibly just the server name), and use
feratures within java (such as reflection) to figure out whats available.

On the security front, I've been looking at the use of digital signatures a
asymetric crytpography to improve trust relationships. The areas that affect
what you bring up are;

1) Client -> Server: The use of signed digital certificates which are signed
by a known entity (possibly Jabber.com, and/or others), to verify the
servers name, IP, and any other details in a similar was as TLS.

2) Server -> Server: The establishment to a key bank (possibly distributed)
in which jabber servers store their public keys, data then sent from server
A to server B can be encrypted by Server A using it's private key, send to
B, B can fetch A's public key from the key store, and decrypt the data. This
would give not only server to server message security, but also verification
of server A's identity.

I'm also keen on developing the idea of using a Jabber server as a central
authentication location so that 3rd party apps can make use of jabber for
authenticating users.

These are still only my ideas, and they haven't been discussed, so if you
have any comments I'd welcome them.

Any general comments should go through this list, but if you want to talk to
me specifically about something you can either mail me or try and grab me on
Jabber at al at personalbuddy.com

Al.



----- Original Message -----
From: "Iain Shigeoka" <iainshigeoka at yahoo.com>
To: <jdev at jabber.org>
Sent: Sunday, July 01, 2001 7:04 PM
Subject: Re: [JDEV] Jabber server in Java


> --- Al Sutton <al at alsutton.com> wrote:
> >
> > I've started coding a jabber server in Java, It's still in the very
> > early
> > stages, but I would like to know if anyone else has been working on this

> > so
> > I can avoid duplicating effort.
>
> I'm working on a mini Jabber server in Java mostly to explore the Jabber
> standards and think about compliance (oh boy, if you've been trying a
> "cleanroom" style implementation I bet we could create a pretty good
> "current protocols are in bad shape" club!).  ;)  I do have thoughts of
> creating a parallel version that is targetted at the "enterprise level"
> server market so the mini server uses the new java.nio.* stuff from JDK
> 1.4.
>
> One of my primary explorations focus on the area of security with Jabber
> (my current impression being that things are Not Good(tm)).  For example,
> there seems to be a built-in assumption that client's must trust their
> server (a situation that seems obviously ripe for exploitation) and that
> server's trust each other (a possibly worse assumption).  Pretty much
> every man-in-the-middle and packet spoofing attack seems to be effective
> against a Jabber server...  I noticed you're signed up for the security
> JIG so I'd love to hear your thoughts on this topic and if you've been
> thinking/looking at these issues.
>
> Oh, to summarize, I'd love to talk about collaboration.  :)
>
> -iain
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

More information about the JDev mailing list