[JDEV] Encrypted xml transfer, was servers specifying from fields

[David Waite]

*grin*, I'll propose something as soon as I get my Applied Cryptography
book back ;-) It has been popular as of late.

Since we already have a requirement of PGP in the clients (that wouldn't
go away, as it works well for encrypted messages sent to offline store),
there would just be a key negotiation between the two parties  - perhaps
the first PGP-sent message will have a portion of the key enclosed as
well in a separate block, as an 'offer' to support the alternate method
of encryption. Having both people provide part of the final key should
be enough to prevent replay. This key could be considered in some way
tied to the 'thread' of conversation. I haven't considered any way to
refresh the key, other than starting a new chat. Because this method
wouldn't work for offline messages (the key would be lost when the other
person came online), messages would just be required to be sent to a
particular user resource (which will give a 404 error if they
disconnect).

I guess thats an overview of what I'm thinking. Maybe I should look at
rijndael (see, I *can* spel it write!)

-David Waite

Mathew A Johnston wrote:

> David, how do you plan to negotiate a session key?
>
> Mathew Johnston
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev