On Wednesday 20 May 2009 19:28:30 Stephen Paul Weber wrote: > I know XEP-0027 is "historical", but it's currently *the* way to do OpenPGP > encryption/signing with XMPP. I have a few questions. > > 1) What do people think of also signing the content of the <x > xmlns='jabber:x:encrypted'> element, to get encrypted and signed messages > (instead of just encrypted messages and signed presence)
Since most of the attention has been on session security (Esessions/OTR/XTLS), signing of individual messages has been left by the wayside. All of the session security proposals support some degree of integrity protection (signing the initial session parameters, and then messages protected by MAC). However, after our last e2e security discussion, I believe there was some consensus that we should offer both session-based and single message security. So, we may seriously pursue PGP encrypted+signed single messages once again. > 2) What do people think of clearsigning <body> on a message in line with > OpenPGP? I don't think we should use clearsign in IMs. It would be silly if clients not supporting PGP were to display all of that clearsigning garbage in a chat window. For XMPP, it would make the most sense to have the <body> contain just the text message, and separate elements would be used to handle the signature/etc. > 3) Has there been discussion of OpenPGP signing (also, openssl/Thawte > signing) on XMPP messages? X.509 signing with S/MIME has been discussed, and in fact is published in RFC 3923, though nobody implements it. > It would be really awesome if the same keys/mechanisms could be used for > signing (/encrypting) XMPP messages as email messages, in general, since > this makes a lot of multi-mode applications much easier to work with. You can read the dead sea scrolls: http://xmpp.org/extensions/inbox/secure.html Probably we should have another e2e security discussion again. -Justin
