[jdev] Re: JEP-0027 (OpenPGP) implementation question
Norman Rasmussen
norman at rasmussen.co.za
Sun Mar 5 11:26:09 CST 2006
On 3/5/06, Remko Troncon <remko at el-tramo.be> wrote:
> On 05 Mar 2006, at 13:38, Norman Rasmussen wrote:
> > yea, I've considered adding a button to Psi to do this many times.
> A solution which doesn't require a button would be to use PEP to
> publish your key.
>
No, as I said: """as Michal pointed out any exchange of pgp/gpg keys
in-band will be insecure. (e.g. using the same tcp connection). The
keyservers are the 'right' place to store and get this information."""
If someone has hi-jacked your xmpp session, then they can very easily
return whatever public key they want. Doing the key retrieval
out-of-band means extra dns requests, and connecting to a diferent
server, all resulting in more work for 'the bad guys' and adding extra
layers of security.
This isn't to say that someone could hi-jack your entire internet
connection, and redirect the keyserver connection too, but it does
make their life harder.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list