[JDEV] Re: XMPP implementation questions

Justin Karneges justin-jdev at affinix.com
Wed Jul 30 13:24:26 CDT 2003 

I'm a fan of using OpenPGP also, but you're right, the way it is done in 
JEP-27 is totally overkill.  We need a way to use OpenPGP to derive a 
symmetric key, and then use that key for the actual messages.

I think (and hope) this is what JEP-102 is for.  As far as I know, it details 
a way to use a symmetric key for packet security, and the initial symmetric 
key exchange process can be done either with OpenPGP, X509, or on-the-fly RSA 
keys.  I think this should make everyone happy.

However, I admit I have not fully comprehended the JEP yet.

-Justin

On Wednesday 30 July 2003 02:19 am, David Banes wrote:
> I'll be implementing the OpenPGP JEP in our new client as it's easy'ish
> to do. But I will need to make some changes to handle real time
> symmetric key exchange as using assymmetric for encryption is just not
> viable. therefore I'll have to a) except my client won't do OpenPGP with
> any other client, or b) work out how to update the existing JEP, which
> is probably not a good idea, or is it?
>
> Basically, I'm mirroring the functionality I have already tested and
> know works in our older (non-Jabber) client until I can see a clear way
> ahead. this gives us end to end crypto, including digital signatures.
>
> David.
>
> In <20030728230354.GG19125 at jabber.org> Peter Saint-Andre  wrote:
> > At the recent IETF meeting, I was asked to follow up with the Jabber
> > developer community about obstacles (or resistance) to implementing
> > certain aspects of the XMPP specs (<http://www.jabber.org/ietf/>). The
> > IETF folks perceive the presence of an active developer community as a
> > Good Thing [tm], so I think they are interested in how likely it is
> > that the current developer community will implement the specs as
> > written.
> >
> > The main topics mentioned to me relate to security, specifically SASL
> > for authentication, TLS for channel encryption, and CPIM + S/MIME for
> > end-to-end encryption. Do people think they will be able to integrate
> > existing libraries for these protocols into their applications (or
> > write their own support, as Rob Norris recently did for SASL in
> > jabberd2)? How likely is it that existing clients will implement draft-
> > ietf-xmpp-e2e, which uses CPIM and S/MIME for end-to-end encryption?
> >
> > From discussions so far, my sense is that SASL and TLS support will be
> > added once it's in the jabberd server, but that client developers are
> > fairly resistant to adding support for the end-to-end encryption spec
> > given the need to parse CPIM formats (no existing libraries as far as
> > I know) and support S/MIME (for which there are libraries, although
> > the use of S/MIME is not very "Jabberish").
> >
> > Feel free to reply on or off list.
> >
> > Thanks!
> >
> > Peter
> >
> > P.S. Yes, I owe the community an informational document that clearly
> >      defines the differences between XMPP and Jabber for things like
> >      authentication and session initiation. I will write that document
> >      by the middle of August.
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

More information about the JDev mailing list