[JDEV] Security & the Java Jabber server

[Al Sutton]

I can put to rest your fears of this being sidelined. I already have a
working prototype which Jabber Instant Message will log into.

I'm aiming to do a first code drop on Friday, This should include enough
code for most clients to log into the server and send messages to other
logged in users.

My current plan is to get a sourceforge project up and running and put the
CVS repository on that, and run the web site/downloads from my site
(www.alsutton.com), although any ideas are welcome.

Al.

----- Original Message -----
From: "Ragavan S" <jabber_dev at hotmail.com>
To: <jdev at jabber.org>
Sent: Monday, July 02, 2001 7:55 PM
Subject: [JDEV] Security & the Java Jabber server


> Hi Al and Iain,
>
> I would like to participate and contribute to the development of the Java
> Jabber server. As you both have pointed out there are definitely very good
> reasons to have an implementation in Java.
>
> Apart from the issues you both have brought out, I am also personally
> interested in trying to figure out how to tie in XML-DSIG to add security,
> especially when you start talking about 'enterprise grade' communications.
>
> Another interest is to see if and how Kerberos fits in. The concept of
> sessions can be pretty pertinent to communications and this might be an
> area for something like kerberos to come in.
>
> Are you guys planning on starting up some kind of a virtual team of people
> together soon? I would hate to see this one get shelved :-). We might also
> be able to contribute a lot to the standardization folks!
>
> Looking forward to more ideas/comments.
>
> Keep Jabberin,
> Ragavan
>
>
> >My primary focus for developing the Java Jabber server is ease of
> >installation & configuration. I've seen numerous requests about >problems
> >in jabberd.xml so I'm trying to make the system require the >minimum
level
> >of detail in a configuration file (possibly just the >server name), and
use
> >feratures within java (such as reflection) to >figure out whats
available.
>
> >On the security front, I've been looking at the use of digital
>signatures
> >a asymetric crytpography to improve trust relationships. The >areas that
> >affect what you bring up are;
>
> >1) Client -> Server: The use of signed digital certificates which are
> > >signed by a known entity (possibly Jabber.com, and/or others), to
>verify
> >the servers name, IP, and any other details in a similar was as >TLS.
>
> >2) Server -> Server: The establishment to a key bank (possibly
> > >distributed) in which jabber servers store their public keys, data then
> > >sent from server A to server B can be encrypted by Server A using it's
> > >private key, send to B, B can fetch A's public key from the key store,
> > >and decrypt the data. This would give not only server to server message
> > >security, but also verification of server A's identity.
>
> >I'm also keen on developing the idea of using a Jabber server as a
>central
> >authentication location so that 3rd party apps can make use of >jabber
for
> >authenticating users.
>
> >These are still only my ideas, and they haven't been discussed, so if
>you
> >have any comments I'd welcome them.
>
> >Any general comments should go through this list, but if you want to
>talk
> >to me specifically about something you can either mail me or try >and
grab
> >me on Jabber at al at personalbuddy.com
>
> >Al.
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev