On Tuesday 09 January 2007 11:33 am, Peter Saint-Andre wrote: > It's time for us to get serious about end-to-end encryption (e2e). > > Ian Paterson has been working hard on specs for e2e. I think we now have > the pieces in place for strong e2e between any two users, in a way that > even Aunt Tillie can use. Now we need to make it happen.
I read through the XEPs, and my initial reaction is ... holy smokes this is a lot of material! And we're worried programmers will have trouble parsing CPIM? :) I think the e2e XEPs may be great in the long term, but it will be years before this is implemented widespread. First, we need thorough security reviews of all the specifications by multiple parties. Then we can implement, and that will take time too. Just to bring reality home here.. show of hands for developers even doing certificate validation with TLS? Also, Ian also has a tendency to incorporate bleeding edge security algorithms and procedures, that I'm not sure have received proper scrutiny.. The main thing I'd like to see are some security reviews by people who actually design and implement crypto. Let's hear from Peter Guttman or Eric Rescorla. We need prominent members in the security community that not only will do a basic error check, but will also ask important questions like, "why the hell are you doing it this way?" :) I'll be implementing RFC 3923 until then. -Justin
