[JDEV] Encrypted xml transfer, was servers specifying from fields
David Waite
dwaite at jabber.com
Mon Mar 5 00:52:28 CST 2001
Mathew A Johnston wrote:
> To me, not being able to send messages encrypted to a user when they're
> not online is unacceptable... Perhaps we need an encrypted 'datagram'
> namespace, and an encrypted 'session' namespace? Session would generate a
> session key, datagram would just use plain old public key
> crypto? ([p|g]pg)
>
*nod*, I was thinking the existing OpenPGP method (and your draft) would be
the datagram namespace.
A session-based method would require less bandwidth in most cases and less
processing/memory on the client systems. So it is probably advantageous to do
both :-)
>
> I'm trying to get this encrypted 'datagram' namespace into jabber because
> I want to be able to send url type messages that are encrypted, and
> include decryption information incase the referenced file requires
> decryption; a sort of secure reference to an encrypted file online. I'd
> also like to make a client which automatically handles downloading and
> decrypting files that it's given reference to (if the user chooses so of
> course). Not allowing encrypted xml that's to be parsed to be sent
> encrypted means that I'd be sending the url non encrypted, then sending
> the decryption info in a normal encrypted message and isnt going to allow
> that automation that I desire; also, what happens if I just want the url
> its self to be secure and for the client to let the user click on
> it/bookmark/etc?
>
I'm happy you are working on this - many applications require data to be
encrypted (some corps are really paranoid, encrypted files packed in an
archive, encrypt the archive and send it out over SSL). For something like
XMLRPC or SOAP to work with secure data over a client-server distributed
system like jabber, there has to be a way to encrypt that content.
Not to mention that people will want encrypted rich text just as much as they
want encrypted plaintext. :-)
>
> For higher securty session based stuff, like chats or whiteboards or
> something where both clients have to be online, using session key stuff
> looks good... but for sending one time messages that are not session
> based, session keys sound like a tonne of overhead, no?
>
Well, thats probably the reason there aren't session keys in email either :-)
you can't negotiate a session if the other person isn't around.
-David Waite
More information about the JDev
mailing list