Oh great, now I have friends pointing me at libtech postings inciting me to reply to them because they're excited to see what I will have to say...
At least I hope to surprise them a bit. Let's see... On Tue, Nov 11, 2014 at 02:18:49PM -1000, Joseph Lorenzo Hall wrote: > I'm here at IETF 91 hanging with all the protocol nerds. I was talking > to someone about OTR and they pointed out that the object-encryption > standard for XMPP that has been put forward is about to die due to > lack of interest and engagement: > > http://tools.ietf.org/html/draft-miller-xmpp-e2e Yes, Matt Miller presented that at the IETF before and although Snowden was in the air no client dev came forward to say YES! Let's do this. It was so sad, I even refrained from bashing XMPP too loud that it is the wrong and broken protocol for the job anyhow. > Has anyone seen this and thinks it could be a good thing to > standardize? I realize it's a subset of what OTR provides but I'm > wondering if this could be something we as a community might want to > work with in this kind of standards body. Subset? The proper integration of E2E and PFS removing most of the trouble we have with OTR desyncing and throwing errors in our face would be a great improvement of the XMPP experience, given you want to keep XMPP. And it also applies to other XMPP packets like profile look-ups etc - things that people *expect* to be secure when using OTR while they actually aren't. So I don't really see what you mean by subset here. I have the impression it does more. Is it missing socialist millionaire? That would be a problem. Do you mean that by subset? Haven't looked at the draft recently. It's kind-of been around in the XMPP standards discussion for about a decade now, ever since OTR came up. > Any e2e-has-a-posse folks have an interest here or is standardization > not an interest or desire? Standardization is not the problem. You need at least one dev who cares enough to implement all the lot of code into one of the too many badly implemented XMPP clients. It's awful how only few XMPP clients currently offer the full up to date OTR protocol. I have a feeling the majority of OTR conversations are not properly being authenticated because of things like socialist millionaire (aka shared secrets) not being implemented everywhere. No wait, I correct myself. Standardization IS the problem. It leads to every spare time code writer doing his own client brew and none of them being solid enough for humanity's needs (given that XMPP wasn't a bad choice in the first place). What we need is everyone working on a single solid codebase, possibly ChatSecure, and have that available for ALL platforms, with professional usability and no glitches. But then again maybe it's time to kiss federation good-bye. XMPP comes not only with a lot of problems of its own that you can read about at http://about.psyc.eu/XMPP - it also shares the fundamental architecture problem with PSYC being the federation of servers. When we designed those protocols we made the fatally wrong assumption that servers are neat, cool, sweet and most of all SAFE. Also back in the 90s we didn't have DHTs yet. Fifteen years later it is overdue to admit that XMPP, SMTP and other federation protocols were designed to a paradigm which no longer is recommendable. We should improve those technologies that provide not only end-to-end encrypted messaging, but also metadata protection and defense against attacks on single points of failure like jabber.ccc.de. http://secushare.org/comparison lists a few platforms that are heading in the right direction. I need to add blockchain apps to that soonish, as Bitmessage seems to function and I'm no longer sure it can't scale. Maybe it actually could. Please let's get off XMPP+OTR soon and not invest huge amounts of energy just to get rid of the bugs. And let's stop talking about open standards for free software. Open standards are only important when we HAVE to deal with some company dominating the field with its proprietary tool. As long as we do not need to interact with any proprietary thing, we can avoid impeding development by standardization. Just think how useful it would have been to spread cat gifs over XMPP if XMPP weren't so impractical for binary data. Instead it sucks, so nobody does it. It's crazy for our civil liberties and the foundations of democracy to be using either Facebook or Google for personal conversations, so we should not work on an open standard that includes those platforms. So we don't need to focus on an open standard. We just need running AGPL code, which implies a free protocol by definition. -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
