Dne neděle 05 březen 2006 21:04 Norman Rasmussen napsal(a): > On 3/5/06, Remko Troncon <[EMAIL PROTECTED]> wrote: > > On 05 Mar 2006, at 18:26, Norman Rasmussen wrote: > > > No, as I said: """as Michal pointed out any exchange of pgp/gpg keys > > > in-band will be insecure. (e.g. using the same tcp connection). The > > > keyservers are the 'right' place to store and get this information.""" > > > > Retrieving keys from a keyserver is equally unsecure. I think there's > > a mixup between the issue of automatically exchanging keys, and > > actually asserting that the key is valid. The former requires no > > security at all and can therefore be automated, the latter requires > > extensive checking. > > Agreed, gpg/pgp keys are 'supposed' to be inheriently strong, and > therefore no automatic retrieval/exchange should even/ever be done, > ever. > > If people want to implement automatic key exchange, they should be > looking to implement JEP-0116 - it's actually far safer in terms of > not being able to add and remove messages from conversations, > additionally if the private key is ever compromised, then the messages > can not be read. > > In fact anyone wanting to implement encrypted communications in their > clients should be implementing JEP-0116, and _not_ JEP-0027 - is > backwards compatability with older clients a good enough reason to > implement something that's tricky to set up and get working with > contacts on your roster?
In my opinion, it should be implemented both. Firstly, by use of GnuPG, it is much simpler, secondly, many old client will still use gpg ant there is need to communicate with them. And, other problem is, JEP-116 is still experimental. Not much clients will support it until it is a draft. -- Windows are like windows - shiny, but fragile and expensive Michal Vaner (Vorner)
pgp00V7uyNxCS.pgp
Description: PGP signature
