[Telepathy] XMPP: OpenPGP SASL mechanism

Daniele Ricci daniele.athome at gmail.com
Wed Apr 17 08:18:30 PDT 2013

On Wed, Apr 17, 2013 at 5:08 PM, Simon McVittie
<simon.mcvittie at collabora.co.uk> wrote:
> I suggest talking to an appropriate standardization group (we are not
> one of those; the XMPP mailing lists might be) to make this into a
> usable and secure specification.

This will be my next step.

> Isn't this rather exploitable? If a malicious server sends
> <challenge>I, Daniele Ricci, promise to pay Simon McVittie $1
> million</challenge>
> then you probably don't want to be signing that with your PGP key :-)
> (Or if the user is a Debian/Ubuntu developer with upload privileges, it
> could present a Debian .changes file authorizing the upload of a
> malicious package, for instance.)

Other than checking the server challenge for a specific syntax, is
there any other way to make this secure? How do I prove that client
has the private key it claims to have?


More information about the telepathy mailing list