[Telepathy] XMPP: OpenPGP SASL mechanism
daniele.athome at gmail.com
Wed Apr 17 08:28:03 PDT 2013
Wait! I know: a shared secret (Diffie-Hellman) in the challenge :-)
On Wed, Apr 17, 2013 at 5:18 PM, Daniele Ricci <daniele.athome at gmail.com> wrote:
> On Wed, Apr 17, 2013 at 5:08 PM, Simon McVittie
> <simon.mcvittie at collabora.co.uk> wrote:
>> I suggest talking to an appropriate standardization group (we are not
>> one of those; the XMPP mailing lists might be) to make this into a
>> usable and secure specification.
> This will be my next step.
>> Isn't this rather exploitable? If a malicious server sends
>> <challenge>I, Daniele Ricci, promise to pay Simon McVittie $1
>> then you probably don't want to be signing that with your PGP key :-)
>> (Or if the user is a Debian/Ubuntu developer with upload privileges, it
>> could present a Debian .changes file authorizing the upload of a
>> malicious package, for instance.)
> Other than checking the server challenge for a specific syntax, is
> there any other way to make this secure? How do I prove that client
> has the private key it claims to have?
More information about the telepathy