annotate doc/encryption.rst @ 4156:2729d424dee7

plugin XEP-0359: use same ID as <message> for `origin_id`: even if the XEP doesn't specify if Message ID must be the same as `origin_id`, using a different one makes little sense, and is leading to bugs in other implementation (e.g. Movim using the wrong ID for reactions).
author Goffi <goffi@goffi.org>
date Wed, 22 Nov 2023 15:05:41 +0100
parents c4418949aa37
children 8da377040ba6
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3950
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
1 .. _encryption:
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
2
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
3 ===========================
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
4 Encryption in Libervia/XMPP
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
5 ===========================
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
6
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
7 Libervia being an XMPP client, it handles encryption between client and server, then the
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
8 message is encrypted between servers, and finally to deliver to target client(s).
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
9
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
10 This avoid the communication to be accessible from people having access to the network,
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
11 but the communications are available to server administrators, or administrators of
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
12 services that you may use (e.g. pubsub service).
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
13
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
14 To make your communications inaccessible to anybody but your recipient(s), end-to-end
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
15 encryption (or e2ee) may be used. This page aims to explain roughly how it is done in
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
16 Libervia and XMPP so end-user can understand and exploit it correctly.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
17
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
18 .. note::
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
19
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
20 this page is work in progress, it will be completed over time to explain the whole
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
21 machanism. Is something is not clear, please contact the development team at the XMPP
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
22 room `libervia@chat.jabberfr.org <xmpp:libervia@chat.jabberfr.org?join>`__ to get
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
23 details and help to improve this documentation.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
24
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
25
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
26 .. _pubsub-encryption:
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
27
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
28 Pubsub Encryption
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
29 =================
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
30
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
31 By default, pubsub items are in plain text (i.e. not encrypted, beside the normal
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
32 encryption between client and server, and between servers). This is often the desired
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
33 behaviour as pubsub is often used for public matters (public blogs, events, or other kind
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
34 of data).
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
35
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
36 However, pubsub may also be used for private matters, to keep safe some of your own data,
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
37 or to uses all other kind of features privately (private blog, event organization, etc).
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
38
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
39 To make private pubsub node, in addition to the access model which restrict entities which
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
40 can retrieve its item, it is possible to use end-to-end encryption.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
41
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
42 Pubsub is not encrypted the same way as messages, because you generally need to access all
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
43 items of a pubsub node, even if you get access to the node once items have already been
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
44 published.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
45
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
46 E2ee is currently done using `OpenPGP`_ (or OX for PubSub: OXPS). Each item is encrypted
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
47 using a **symmetric** encryption, which mean that the same key (called "shared secret") is
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
48 used both to encrypt and decrypt an item, and is shared between all people who must access
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
49 or publish to the pubsub node (i.e. blog, event calendar, etc). This is done this way to
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
50 make it easy to add a new members, who can then access all archives of the node, but this
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
51 also means that if the shared secret is compromised (i.e. somebody who should not has
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
52 obtained a copy), all items made with this secret are accessible to the persons in
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
53 possession of the secret.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
54
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
55 .. note::
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
56
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
57 OXPS specification is not currently an official XEP (XMPP Extension Protocol), it is
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
58 about to be examinated by "XMPP council". This documentation will be updated with the
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
59 evolution of the situation. You can read current specification proposal at
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
60 https://xmpp.org/extensions/inbox/pubsub-encryption.html (which is inaccessible due to
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
61 a 404 error at the time of writting, this should be fixed hopefully when you read this
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
62 documentation).
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
63
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
64 To make an encrypted pubsub node accessible to somebody, you need to share the secret with
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
65 them.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
66
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
67 You can see that as the key of a house: everybody who has a copy of the key can go inside
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
68 the house, and bring something or take pictures. Sharing the secret is like making
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
69 a copy of the key and giving it to the person.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
70
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
71 If you think that your shared secret is compromised (obtained by somebody who shouldn't),
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
72 or if you want to remove access to somebody, you can "rotate" the secret, which means that
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
73 every existing key is revoked (flagged as "you should not use it anymore to write
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
74 something", but you can still use it to read archives), and a new one is created (to write
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
75 new items).
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
76
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
77 With the house analogy, it's like changing the locks, and giving new keys to trusted
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
78 people: people with the older keys can't go inside the house anymore, but if they have
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
79 taken pictures before the key has been changed, theirs pictures is still in their
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
80 possession.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
81
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
82 .. attention::
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
83
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
84 If you rotate the shared secret, new items are using the new secret, but all items
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
85 which were existing before the secret rotation stay accessible to people who had access
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
86 to former secrets (the pubsub node can refuse access to them though). If malicious
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
87 people had access to items before, they could have made copy anytime, thus there is
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
88 little point in reencrypting everything.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
89
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
90 To handle encrypted pubsub node shared secrets from command line, you may use
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
91 :ref:`libervia-cli_pubsub_secret`.
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
92
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
93 .. _OpenPGP: https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP
8f87ff449a34 doc: new doc giving an overview on how e2ee is working in Libervia/XMPP:
Goffi <goffi@goffi.org>
parents:
diff changeset
94
3975
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
95 Pubsub Targeted Encryption
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
96 ==========================
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
97
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
98 It is also possible to encrypt a single pubsub item for a restricted set of users. This is
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
99 different from the pubsub encryption explained above, as if you want to encrypt for a
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
100 different set of users, you need to re-encrypt all concerned items, so this is more
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
101 adapted for use cases when you only want to encrypt a few items in a pubsub node.
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
102
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
103 On the other hand, you have all the properties of the algorithm used (for now, only OMEMO
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
104 2 is supported), which means that you can have `Perfect Forward Secrecy`_ for algorithms
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
105 supporting it (it's the case for OMEMO.)
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
106
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
107 .. note::
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
108
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
109 Pubsub Targeted Encryption(PTE) specification is not currently an official XEP (XMPP
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
110 Extension Protocol), it is about to be examinated by "XMPP council". This documentation
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
111 will be updated with the evolution of the situation.
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
112
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
113 .. _Perfect Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrecy
c4418949aa37 doc (encryption, cli): document Pubsub Targeted Encryption:
Goffi <goffi@goffi.org>
parents: 3966
diff changeset
114
3966
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
115 Pubsub Signature
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
116 ================
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
117
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
118 By default, identity of the publisher of a pubsub item is difficult to authenticate: it
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
119 may be specified by the pubsub service (using the `"publisher" attribute`_), but this
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
120 attribute is not set by all pubsub services, and it can be spoofed by the service or the
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
121 XMPP server.
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
122
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
123 To strongly authenticate the publisher of a pubsub item, it is possible to cryptographically sign an item. This can work with any pubsub item, encrypted or not, and it can be done after the item has been published. The process use `Pubsub Signing protoXEP`_
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
124
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
125 .. note::
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
126
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
127 Pubsub Signing specification is not currently an official XEP (XMPP Extension
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
128 Protocol), it is about to be examinated by "XMPP council". This documentation will be
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
129 updated with the evolution of the situation.
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
130
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
131 .. attention::
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
132
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
133 Signature only certifies that the signers strongly link themselves with this version of
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
134 the item, not that the signers are the original authors of the item. In other words, it
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
135 prevents somebody to say that somebody else has published something (the signature
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
136 would be missing or invalid), but the published data may come from anywhere. Also keep
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
137 in mind that a security breach (stolen encryption keys, major bug somewhere) is always
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
138 possible.
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
139
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
140
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
141 To handle pubsub signatures from command line, you may use
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
142 :ref:`libervia-cli_pubsub_signature`.
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
143
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
144 .. _"publisher" attribute: https://xmpp.org/extensions/xep-0060.html#publisher-publish-success-publisher
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
145
9f85369294f3 doc (encryption, cli): pubsub signing documentation:
Goffi <goffi@goffi.org>
parents: 3950
diff changeset
146 .. _Pubsub Signing protoXEP: https://github.com/xsf/xeps/pull/1228