[JDEV] Signed & encrypted messages

[Michael Brown]

From: "Max Horn" <max at quendi.de>
<snip>
> >The fourth
> >property would be up to clients. Since there may be more than
> >one certificate (for each different algorithm) we can't really
> >put them all into a user's vcard, since that would be too big.
>
> I agree. I'd prefer if vCards would stay small. But maybe vCards
> should be signable? So we can verify they are real ;)

 Can someone explain this to me?  I'm no crypto expert, so maybe I'm missing
something...

First of all, what is the obsession that everyone has with keeping vCards as
small as possible?  I agree that I wouldn't want to see them bloat
unnecessarily, but they are a container for keeping all the information
about a person in one place.  Somones public key is information related
directly to that person, so it *should* be stored in the vCard (even if it
is also stored somewhere else - such as a trusted server run by a CA so we
can check to see if the one in the vCard hasn't been altered).

After all, isn't there a "key" field or some such in the vCard spec exactly
for this purpose?  Are we just going to ignore that and stick it somewhere
else?  If that's the case, why use the vCard spec at all?  also The vCard
has room for a BASE64 encoded photo and audio sample of your name (which is
also a good thing IMO) - I think we can fit a few certificates.

Secondly, are these certificates that big?  Aren't we talking about the same
things that many members of this list see fit to attach to the end of each
email they send?  (Is a PGP Signature the same as what we are talking about
here?) My Lotus Notes file is only 4.7K, and it has quite a few x.509
certificates and god-knows-what else in it.

Thirdly, how often are vCards downloaded in a typical Jabber client?  Every
so often when the user right clicks on a client and selects "View vCard" I
suspect, or maybe they are parsed once when the contact list is drawn up to
populate an "About This User" dialogue...either way...


Michael.