-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/28/09 6:09 AM, Peter Saint-Andre wrote: > On 9/28/09 3:28 AM, Winfried Tilanus wrote: > >> So, do you think such white-papers have enough added value to invest >> some time in them (or to encourage others to invest some of their time >> in them)? >> Are you willing to comment on outlines and drafts? >> Do you want to write parts of such papers? > > In fact I wrote a whitepaper about XMPP security ~2 years ago, but it > was posted on the jabber.com website. I think I can probably republish > it with some changes (small parts of it were specific to Jabber XCP), > but I'll find out about that this week.
BTW, I left a comment at http://www.rsa.com/blog/blog_entry.aspx?id=1525 but it is awaiting moderation. In case they don't approve the comment, here it is: *** It is true that any system based on the Extensible Messaging and Presence Protocol (XMPP) can be used in the way you suggest, because XMPP (which grew out of the open-source Jabber developer community) is an open protocol. Anyone can develop server software that implements XMPP, which is what Google did when they deployed Google Talk. Anyone can download one of the many open-source XMPP server packages (there is no one "Jabber server" codebase as your blog post implies) and run their own IM service, which is what tens of thousands of companies, schools, ISPs, and individuals have done over the years. The vast majority of these deployments are used for good, just as is true of systems based on SMTP, HTTP, or any other open protocol. However, the XMPP developer community naturally cannot control who downloads and deploys any given XMPP server codebase, any more than can the developers of software like Postfix or Apache. Also, please note that this usage is a private deployment that is not connected to the public XMPP network (if these fraudsters were using public XMPP services like jabber.org or Google Talk we would have ways to discover something about them). I will soon be publishing an updated whitepaper about XMPP security taking account of these recent abuses of XMPP technologies, and I will send that whitepaper to RSA once it is posted online. *** Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrBOS4ACgkQNL8k5A2w/vwT0ACg7HAW1LQAR4UYZ0p52kshdBbG 8wgAoKxiEKRm6fZTCKZanycLQsHNzuQ4 =EJKd -----END PGP SIGNATURE-----
