[jdev] Re: JEP-0027 (OpenPGP) implementation question
Juan Antonio Gómez Moriano
moriano.jabber at gmail.com
Tue Mar 7 16:50:48 CST 2006
El dom, 05-03-2006 a las 14:38 +0200, Norman Rasmussen escribió:
> Have you read 'JEP-0116: Encrypted Sessions'
> (http://www.jabber.org/jeps/jep-0116.html)
>
> JEP-0027 is only a Historical JEP, so it's not a standards-track spec,
> JEP-0116 is a standards-track spec.
True, the thing is that JEP-0116 is still experimental, and to be honest
the reason to add encryption is to learn something, it may not be useful
even, this : just for fun (although obviobsly that will result
implementing the JEP-0166 before or later).
Apart from that i think there are still out there a lot of clients using
JEP-0027 and not JEP-0116...
Anyway (thanks for the advices of course :-) and reconsidering the key
exchange (which has raise my paranoia level), should y use GnuPG (gpg
and others...) ? The thing is that it is suppossed that GnuPG may be
used as a kind of "engine" for larger applications. However i do not
like the idea of have "dependencies" on my software, this is i would
prefer to avoid forcing the user to have GnuPG installed... (actually
the whole client is done in Java, so there is a BIG dependence
already).
Any ideas? Using GnuPG to handle with the keys looks easy, but it is
adding dependencies, in the other hand i have been looking at the Bouncy
Castle library (www.bouncycastle.org) which is able to habndle with the
keys also, but i did not find a way to retrieve the keys from the
OpenPGP server (or to store them).
Finally I would like to say Thanks again to all the people that answer
this thread (i started it), you are being VERY helpful (after all i'm a
newbie in the world of Jabber development...)
>
> On 3/5/06, Juan Antonio Gómez Moriano <moriano.jabber at gmail.com> wrote:
> > Thanks to all for the answer/suggestions... What i have think now is to
> > automatize the process of exchanging keys using OpenPGP key servers,
> > after all they are suppossed to be synchronized, aren't they?
> yea, I've considered adding a button to Psi to do this many times.
>
> > Apart from that i have been thinking on reporting a comment to the
> > jabber people about this... I have developed a simple solution which
> > basically stores the public in the jabber server in a place accessible
> > for everyone but that only the user can write, i've been testing it and
> > looks nice, should i make a more formal document and report it to
> > jabber.org?
> Some people store their public keys in their vCards, but as Michal
> pointed out any exchange of pgp/gpg keys in-band will be insecure.
> (e.g. using the same tcp connection). The keyservers are the 'right'
> place to store and get this information. If you want to do it
> privately, then set up your own private keyserver.
>
> --
> - Norman Rasmussen
> - Email: norman at rasmussen.co.za
> - Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list