[Psi-devel] Re: Re: Re: Remote Controlling Psi

[Hal Rottenberg]

> > Alternatively, you don't necessarily need encryption, but rather you need
> > signing.  Or perhaps both.
> 
> Well, there's the problem that a server admin can intercept any package
> and (immediately) resend it from his own JID. Encrypting does not solve
> this problem, but it makes it less obvious for an admin what commands
> are interesting to him and which ones aren't. But again, this is no
> solution to a security problem; i'm affraid i don't really see an easy
> 'secure' way to execute ad-hoc commands.

No, with a proper implementation, you can protect against replay
attacks as mentinoed before by signing and verifying the timestamps
match within a small threshold to allow for latency.