[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DotGNU]Encryption protocols

From: Norbert Bollow
Subject: Re: [DotGNU]Encryption protocols
Date: Tue, 18 Mar 2003 14:04:04 +0100 (CET)

> 1. password is encrypted. So why encrypt the entire session?
> 2. recipient is encrypted; people sniffing the Jabber connection can't 
> see to whom the data is addressed.

I agree that it's good enough to encrypt the recipient Jabber ID
and any passwords.  There's a can of worms here though.  Properly
encrypting passwords is tricky.  Do we have any security experts on
board yet?

> But they can over a direct TLS 
> connection anyway, which is the other alternative (and will surely 
> happen).

A Jabber ID may contain sensitive information that goes far beyong
what can be learned from just looking at the headers of IP packets.

I can imagine that applications where traffic analysis could result
in an unacceptable privacy violation will provide an option to prevent
direct TLS connections.

Greetings, Norbert.

Founder & Steering Committee member of
Free Software Business Strategy Guide   --->
Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
Tel +41 1 972 20 59        Fax +41 1 972 20 69

reply via email to

[Prev in Thread] Current Thread [Next in Thread]