Once More With Feeling

by Peter Saint-Andre

2006-05-17

So I just had a long chat with a non-Jabberite about the state of end-to-end encryption in the Jabber world. It's painful to have to explain yet again that, no, we don't have an agreed-upon technology for end-to-end encryption. Instead we have a hodgepodge of partially specified and implemented protocols:

• JEP-0027: Current Jabber OpenPGP Usage
• RFC 3923: End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP)
• JEP-0116: Encrypted Sessions

JEP-0027 has been implemented in a few clients because some folks have OpenPGP keys and there are various OpenPGP libraries, but is not in wide use because, well, not many people have OpenPGP keys.

RFC 3923 has not been implemented at all because Jabber developers hate it -- it really does not conform to the tao of Jabber and it requires a library for parsing CPIM, yet none exist as far as I know.

JEP-0116 provides intriguing features like perfect forward secrecy and per-stanza repudiability (a la Off-the-Record Messaging) but there are no libraries for it -- such libraries will have to be built from scratch, thus impeding developer acceptance.

So I've started to look into a fourth option: XML signatures and XML encryption. These technologies have several advantages:

1. They were produced by people who know a lot more about security than I do, namely the W3C's XML Signature WG and XML Encryption WG
2. XML Signatures were published jointly by the W3C and the IETF (see RFC 3275), so I think they would be more acceptable to our friends at the IETF than a homegrown solution like encrypted sessions
3. There are many libraries for xmldsig and xmlenc, which will speed developer adoption

The downsides of using xmldsig and xmlenc are:

1. They don't provide perfect forward security or repudiability as far as I can see (these are nice but are they truly necessary?)
2. They require support for Canonical XML (this has elicited howls of protest from some Jabber developers in the past, but I think the objections can be overcome)
3. In order to support signing and encryption of IQ stanzas, we'd need to relax the prohibition on multiple child elements (but, I think, only for children qualified by the http://www.w3.org/2000/09/xmldsig# and http://www.w3.org/2001/04/xmlenc# namespaces)

Further research required...

Peter Saint-Andre > Journal