[jdev] Re: JEP-0027 (OpenPGP) implementation question
Michal Vaner (Vorner)
michal.vaner at kdemail.net
Sun Mar 5 14:42:03 CST 2006
Dne neděle 05 březen 2006 21:04 Norman Rasmussen napsal(a):
> On 3/5/06, Remko Troncon <remko at el-tramo.be> wrote:
> > On 05 Mar 2006, at 18:26, Norman Rasmussen wrote:
> > > No, as I said: """as Michal pointed out any exchange of pgp/gpg keys
> > > in-band will be insecure. (e.g. using the same tcp connection). The
> > > keyservers are the 'right' place to store and get this information."""
> >
> > Retrieving keys from a keyserver is equally unsecure. I think there's
> > a mixup between the issue of automatically exchanging keys, and
> > actually asserting that the key is valid. The former requires no
> > security at all and can therefore be automated, the latter requires
> > extensive checking.
>
> Agreed, gpg/pgp keys are 'supposed' to be inheriently strong, and
> therefore no automatic retrieval/exchange should even/ever be done,
> ever.
>
> If people want to implement automatic key exchange, they should be
> looking to implement JEP-0116 - it's actually far safer in terms of
> not being able to add and remove messages from conversations,
> additionally if the private key is ever compromised, then the messages
> can not be read.
>
> In fact anyone wanting to implement encrypted communications in their
> clients should be implementing JEP-0116, and _not_ JEP-0027 - is
> backwards compatability with older clients a good enough reason to
> implement something that's tricky to set up and get working with
> contacts on your roster?
In my opinion, it should be implemented both. Firstly, by use of GnuPG, it is
much simpler, secondly, many old client will still use gpg ant there is need
to communicate with them.
And, other problem is, JEP-116 is still experimental. Not much clients will
support it until it is a draft.
--
Windows are like windows - shiny, but fragile and expensive
Michal Vaner (Vorner)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20060305/62512c77/attachment-0002.pgp>
More information about the JDev
mailing list