[JDEV] Security & the Java Jabber server

johnston at megaepic.com johnston at megaepic.com
Mon Jul 2 01:13:15 CDT 2001 

The w3c's encryption for XML working group (w3c.org/encryption) is working on a strategy for the encryption and signature of XML blocks and documents. This is a likely candidate for bringing encryption end to end (no clients trusting the server here) in jabber. The details of the implementation are to be worked out by the security JIG. 

Mathew Johnston


On Sun, Jul 01, 2001 at 07:37:44PM +0100, Al Sutton wrote:
> My primary focus for developing the Java Jabber server is ease of
> installation & configuration. I've seen numerous requests about problems in
> jabberd.xml so I'm trying to make the system require the minimum level of
> detail in a configuration file (possibly just the server name), and use
> feratures within java (such as reflection) to figure out whats available.
> 
> On the security front, I've been looking at the use of digital signatures a
> asymetric crytpography to improve trust relationships. The areas that affect
> what you bring up are;
> 
> 1) Client -> Server: The use of signed digital certificates which are signed
> by a known entity (possibly Jabber.com, and/or others), to verify the
> servers name, IP, and any other details in a similar was as TLS.
> 
> 2) Server -> Server: The establishment to a key bank (possibly distributed)
> in which jabber servers store their public keys, data then sent from server
> A to server B can be encrypted by Server A using it's private key, send to
> B, B can fetch A's public key from the key store, and decrypt the data. This
> would give not only server to server message security, but also verification
> of server A's identity.
> 
> I'm also keen on developing the idea of using a Jabber server as a central
> authentication location so that 3rd party apps can make use of jabber for
> authenticating users.
> 
> These are still only my ideas, and they haven't been discussed, so if you
> have any comments I'd welcome them.
> 
> Any general comments should go through this list, but if you want to talk to
> me specifically about something you can either mail me or try and grab me on
> Jabber at al at personalbuddy.com
> 
> Al.

More information about the JDev mailing list