comparison doc/encryption.rst @ 3966:9f85369294f3

doc (encryption, cli): pubsub signing documentation: - add a `Pubsub Signature` section to `encryption` documentation - document `-X, --sign` flag where it's used - document `pubsub/signature` subcommands fix 381
author Goffi <goffi@goffi.org>
date Sun, 30 Oct 2022 01:06:58 +0200
parents 8f87ff449a34
children c4418949aa37
comparison
equal deleted inserted replaced
3965:2695dafc5c4d 3966:9f85369294f3
90 To handle encrypted pubsub node shared secrets from command line, you may use 90 To handle encrypted pubsub node shared secrets from command line, you may use
91 :ref:`libervia-cli_pubsub_secret`. 91 :ref:`libervia-cli_pubsub_secret`.
92 92
93 .. _OpenPGP: https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP 93 .. _OpenPGP: https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP
94 94
95 Pubsub Signature
96 ================
97
98 By default, identity of the publisher of a pubsub item is difficult to authenticate: it
99 may be specified by the pubsub service (using the `"publisher" attribute`_), but this
100 attribute is not set by all pubsub services, and it can be spoofed by the service or the
101 XMPP server.
102
103 To strongly authenticate the publisher of a pubsub item, it is possible to cryptographically sign an item. This can work with any pubsub item, encrypted or not, and it can be done after the item has been published. The process use `Pubsub Signing protoXEP`_
104
105 .. note::
106
107 Pubsub Signing specification is not currently an official XEP (XMPP Extension
108 Protocol), it is about to be examinated by "XMPP council". This documentation will be
109 updated with the evolution of the situation.
110
111 .. attention::
112
113 Signature only certifies that the signers strongly link themselves with this version of
114 the item, not that the signers are the original authors of the item. In other words, it
115 prevents somebody to say that somebody else has published something (the signature
116 would be missing or invalid), but the published data may come from anywhere. Also keep
117 in mind that a security breach (stolen encryption keys, major bug somewhere) is always
118 possible.
119
120
121 To handle pubsub signatures from command line, you may use
122 :ref:`libervia-cli_pubsub_signature`.
123
124 .. _"publisher" attribute: https://xmpp.org/extensions/xep-0060.html#publisher-publish-success-publisher
125
126 .. _Pubsub Signing protoXEP: https://github.com/xsf/xeps/pull/1228
127