Email lists > Jabber end-user discussion list > Re: [Juser] jabber encryption extension > Re: [Juser] jabber encryption extension

Re: [Juser] jabber encryption extension




This post if a part of  this thread

2008-01-03 11:29:34
Re: jabber encryption extension 
Michael Reichenbach wrote:
> Not much client developers seamed to "like"
the official jabber protocol 
> encryption extension. I think this because them did not
implement it.
> 
> Most either implemented their own implementation of
OpenPGP or the most 
> used encryption method for jabber clients so far is
OTR.
> 
> I am not skilled enough in cryptography to look really
deep under the 
> hood of OTR. But it`s features (encryption,
authentication, deniability 
> and Perfect forward secrecy) seams the be better (or
better said more 
> modern). OTR seams to be more practical for instant
messengers then PGP.
> 
> OTR is also very easy to set up (compared to OpenPGP).
For friends in 
> real life you just meet them and verify their
fingerprint, another 
> method is the shared secret (I prefer the first
method).
> 
> If you want strangers to contact you with encryption
enabled you would 
> need to post your fingerprint singed with pgp
somewhere.
> 
> Or the most worse method, you just blindly accept the
fingerprint of 
> strangers. That`s better then no encryption at, not
100% secure but you 
> will know that it`s always the same one you are talking
to (except when 
> there is a mitm from the first time which is unlikely
and if so you can 
> still verify the correct fingerprint later if you feel
need for).
> 
> Currently OTR is only for instant messages. Not for
group chats, 
> filetransfer, audio or video (last two things may be
technically 
> impossible with OTR features).
> 
> My point is, developers seam to like OTR more then the
official protocol 
> extension of jabber.
> 
> So now my question is, why you don`t drop the not used
protocol 
> extension and use OTR instant as the official
extension? I am not 
> afflicted with the OTR team in any way, but I guess
them would also 
> prefer this.

We have looked at OTR but we concluded that it's not very
compatible 
with Jabber. The Encrypted Sessions technology we developed
is in fact 
very similar to OTR, but it has a few key differences,
including the 
ability to encrypt the entire packet (not just the message
text). This 
is important for things like Jingle negotiation (you don't
want to 
expose your IP addresses), XHTML-formatted messages, and so
on.

I agree with you that client developers don't seem to be
enthusiastic 
about end-to-end encryption. In fact, few clients have added
support 
even for OpenPGP. OTR is relatively popular because there is
a single 
library that client developers can use to develop plugins
for Pidgin, 
Adium, etc. Maybe what we need to do is develop a single
good library 
for encrypted sessions and encourage client developers to
use that...

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
This is JUser -- a mailing list for end
users of Jabber clients.

To unsubscribe, go to the following web 
page, scroll all the way down, and type 
in your email address:

http://
mail.jabber.org/mailman/listinfo/juser
_______________________________________________

about | contact  Other archives ( Real Estate discussion Medical topics )