[jdev] Re: JEP-0027 (OpenPGP) implementation question

Peter Saint-Andre stpeter at jabber.org
Mon Mar 6 17:18:35 CST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michal Vaner (Vorner) wrote:

>> In fact anyone wanting to implement encrypted communications in their
>> clients should be implementing JEP-0116, and _not_ JEP-0027 - is
>> backwards compatability with older clients a good enough reason to
>> implement something that's tricky to set up and get working with
>> contacts on your roster?
> 
> In my opinion, it should be implemented both. Firstly, by use of GnuPG, it is 
> much simpler, secondly, many old client will still use gpg ant there is need 
> to communicate with them.

And don't forget RFC 3923. ;-)

> And, other problem is, JEP-116 is still experimental. Not much clients will 
> support it until it is a draft.

True.

I think we need some experimental implementations of JEP-0116 to see if
it is feasible to implement or or too complicated for client developers.

Another approach, which Justin Karneges has mentioned before and which
I've chatted with him about, is to combine the best of JEP-0027 and RFC
3923 -- you could do OpenPGP or S/MIME depending on service discovery
info (optionally auto-discovered via JEP-0115). The S/MIME stuff would
be simplified (essentially, no CPIM) if the other party is a native XMPP
entity (the CPIM stuff is there to function across XMPP and SIMPLE).

Now, neither OpenPGP or S/MIME enable you to repudiate what you said,
and if people find that important then they would need to do JEP-0116
(or something very much like it, such as Gaim's OTR plugin). So in part
the differences here come down to requirements and philosophy.

I'm not yet convinced that repudiability and perfect forward security
are core requirements for an end-to-end encryption system, since both
OpenPGP and S/MIME are better than nothing. But one thing that seems
attractive about JEP-0116 is that it doesn't require end users to create
OpenPGP keys or obtain X.509 certificates, both of which are hard for
end users. Instead, it could use RSA keys generated by the user's
client, thus shielding the user from key generation and management.
Anything that makes security technologies easier to use seems good (as
long as it's still safe).

Peter

- --
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEDMNLNF1RSzyt3NURAncIAJ42tkSCkE5mm7ZSHKvdulWDLpj0owCfRJLq
fPOP1DXvsjGd/5JnlDJoYA8=
=ko0q
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20060306/c0019be4/attachment-0002.bin>

More information about the JDev mailing list