Re: [DotGNU]Encryption protocols

[Norbert Bollow]

> 1. password is encrypted. So why encrypt the entire session?
> 
> 2. recipient is encrypted; people sniffing the Jabber connection can't 
> see to whom the data is addressed.

I agree that it's good enough to encrypt the recipient Jabber ID
and any passwords.  There's a can of worms here though.  Properly
encrypting passwords is tricky.  Do we have any security experts on
board yet?

> But they can over a direct TLS 
> connection anyway, which is the other alternative (and will surely 
> happen).

A Jabber ID may contain sensitive information that goes far beyong
what can be learned from just looking at the headers of IP packets.

I can imagine that applications where traffic analysis could result
in an unacceptable privacy violation will provide an option to prevent
direct TLS connections.

Greetings, Norbert.

-- 
Founder & Steering Committee member of http://gnu.org/projects/dotgnu/
Free Software Business Strategy Guide   --->  http://FreeStrategy.info
Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
Tel +41 1 972 20 59        Fax +41 1 972 20 69       http://norbert.ch