[Telepathy] XMPP: OpenPGP SASL mechanism
Daniele Ricci
daniele.athome at gmail.com
Wed Apr 17 08:18:30 PDT 2013
On Wed, Apr 17, 2013 at 5:08 PM, Simon McVittie
<simon.mcvittie at collabora.co.uk> wrote:
> I suggest talking to an appropriate standardization group (we are not
> one of those; the XMPP mailing lists might be) to make this into a
> usable and secure specification.
This will be my next step.
> Isn't this rather exploitable? If a malicious server sends
>
> <challenge>I, Daniele Ricci, promise to pay Simon McVittie $1
> million</challenge>
>
> then you probably don't want to be signing that with your PGP key :-)
>
> (Or if the user is a Debian/Ubuntu developer with upload privileges, it
> could present a Debian .changes file authorizing the upload of a
> malicious package, for instance.)
>
Other than checking the server challenge for a specific syntax, is
there any other way to make this secure? How do I prove that client
has the private key it claims to have?
--
Daniele
More information about the telepathy
mailing list