[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DotGNU]Encryption protocols
From: |
Norbert Bollow |
Subject: |
Re: [DotGNU]Encryption protocols |
Date: |
Tue, 18 Mar 2003 14:04:04 +0100 (CET) |
> 1. password is encrypted. So why encrypt the entire session?
>
> 2. recipient is encrypted; people sniffing the Jabber connection can't
> see to whom the data is addressed.
I agree that it's good enough to encrypt the recipient Jabber ID
and any passwords. There's a can of worms here though. Properly
encrypting passwords is tricky. Do we have any security experts on
board yet?
> But they can over a direct TLS
> connection anyway, which is the other alternative (and will surely
> happen).
A Jabber ID may contain sensitive information that goes far beyong
what can be learned from just looking at the headers of IP packets.
I can imagine that applications where traffic analysis could result
in an unacceptable privacy violation will provide an option to prevent
direct TLS connections.
Greetings, Norbert.
--
Founder & Steering Committee member of http://gnu.org/projects/dotgnu/
Free Software Business Strategy Guide ---> http://FreeStrategy.info
Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
Tel +41 1 972 20 59 Fax +41 1 972 20 69 http://norbert.ch
Re: [DotGNU]Encryption protocols, Peter Minten, 2003/03/09
Re: [DotGNU]Encryption protocols, Chris Smith, 2003/03/10