[linux-elitists] IM servers for Linux

Rick Moen rick@linuxmafia.com
Sun Jan 5 23:53:29 PST 2003

Quoting David L. Sifry (david@sifry.com):

> Here's the downsides:

It's a little disappointing that the Jabber guys were so taken by
surprise by the need to do message signing/authentication that their
solution was a kludge-on GPG inclusion like this:

  <x xmlns="jabber:x:signed">
  [ signed data here ] </x>

(They were talking about replacing that, but the point is that the
problem wasn't addressed in the original design.)

And ditto that session encryption/authentication was a similar sort of
kludge (just shove everything into OpenSSL).  Web of trust or PKI?
End-to-end crypto all the way from sender to recipient?  Nope.  The
servers of necessity become highly trusted entities -- and the basic
architecture looks to me like a man-in-the-middle attack waiting to
happen, among other things.

In general, the Jabber community's approach to security problems has
been, as far as I can tell, to improvise and further complicate.  Which,
in security measures, just doesn't give me the warm fuzzies.

Nothing's perfect, of course -- and shops that are willing to put up
with MS Exchange Servers and Outlook clients (the ones Larry's been
talking about) aren't likely to be picky, but here's my idea of an IM
system designed properly in all of the above ways:


Cheers,                                      "My file system's got no nodes!"
Rick Moen                                    "How does it shell?"

More information about the linux-elitists mailing list