[JDEV] Security in XMPP/Jabber: some questions
Perry Lorier
perry at coders.net
Fri May 23 06:54:25 CDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> if we take a closer look about SASL there's kerberos, tsl - that is
> the ietf version of netscape's ssl ver 3 , GSSAPI - i've to admit that
> i didnt understand this mechanism much , s/key and external mechanisms
> of authentication... and my question is, why not a simple
> authentication using the pki and based on certification authorities?
A) people want single signon, (which is what kerberos is good at, it
lets you give a password when you login, which can then be used to grant
tickets to give to services such as jabber)
B) Who will the certification authority be? verisign? a 128 bit key is
16 bytes. verisign currently sign certificates at $895(US) per year.
thats $7 per bit per year, perhaps the most expensive bits on the
planet. This would prevent enthusiests from running a jabber server.
If you're going to require that each user has a personal certificate to
authenticate against jabber, although they are (currently) free I
believe, it's a lot of hassle to connect.
C) If you don't have your private key where you are you can't login. I
can't just load up my jabber client at a friends place to check my
messages, because I'd have to find my private key and make sure it was
available on my friends computer.
> public keys, diffie-helman agreement to create session kyes,
If you use TLS/SSL then it will use diffie-helman to generate session
keys anyway.
> zero-knowledge agreement between servers and clients (note, not
> between clients and servers, server must identify himself first),
> chalange-answer between clients and servers, and one of this two
> between servers and servers ... i think this is pretty much secure
> than anything ...
Security is a trade off between security and ease of use.
- --
This is National Non-Dairy Creamer Week.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Only when you are sure they have you, can you stop being paranoid
iD8DBQE+zgvxcAgRpy8z8UQRAnz0AJ9q6ZkJLdNBxh7WurXqaV4Wigt4ZQCg1FDS
j2cPJDdiMjfNE4qTYYg3HHc=
=kGED
-----END PGP SIGNATURE-----
More information about the JDev
mailing list