Speaking of XMPP, it might be worth checking out telehash, a work in progress led by Jeremie Miller and most of the same team who gave us XMPP, back in the last millennium:
http://telehash.org Doesn't (and shouldn't) cover everything, but it comes from good motivations and hackers. Doc > On Nov 12, 2014, at 5:40 AM, carlo von lynX <[email protected]> > wrote: > > Oh great, now I have friends pointing me at libtech postings > inciting me to reply to them because they're excited to see > what I will have to say... > > At least I hope to surprise them a bit. Let's see... > > On Tue, Nov 11, 2014 at 02:18:49PM -1000, Joseph Lorenzo Hall wrote: >> I'm here at IETF 91 hanging with all the protocol nerds. I was talking >> to someone about OTR and they pointed out that the object-encryption >> standard for XMPP that has been put forward is about to die due to >> lack of interest and engagement: >> >> http://tools.ietf.org/html/draft-miller-xmpp-e2e > > Yes, Matt Miller presented that at the IETF before and although > Snowden was in the air no client dev came forward to say YES! > Let's do this. It was so sad, I even refrained from bashing > XMPP too loud that it is the wrong and broken protocol for the > job anyhow. > >> Has anyone seen this and thinks it could be a good thing to >> standardize? I realize it's a subset of what OTR provides but I'm >> wondering if this could be something we as a community might want to >> work with in this kind of standards body. > > Subset? The proper integration of E2E and PFS removing most of the > trouble we have with OTR desyncing and throwing errors in our face > would be a great improvement of the XMPP experience, given you > want to keep XMPP. And it also applies to other XMPP packets like > profile look-ups etc - things that people *expect* to be secure > when using OTR while they actually aren't. So I don't really see > what you mean by subset here. I have the impression it does more. > Is it missing socialist millionaire? That would be a problem. Do > you mean that by subset? Haven't looked at the draft recently. > It's kind-of been around in the XMPP standards discussion for > about a decade now, ever since OTR came up. > >> Any e2e-has-a-posse folks have an interest here or is standardization >> not an interest or desire? > > Standardization is not the problem. You need at least one dev > who cares enough to implement all the lot of code into one of the > too many badly implemented XMPP clients. It's awful how only few > XMPP clients currently offer the full up to date OTR protocol. > I have a feeling the majority of OTR conversations are not > properly being authenticated because of things like socialist > millionaire (aka shared secrets) not being implemented everywhere. > > No wait, I correct myself. Standardization IS the problem. It > leads to every spare time code writer doing his own client brew > and none of them being solid enough for humanity's needs (given > that XMPP wasn't a bad choice in the first place). What we need > is everyone working on a single solid codebase, possibly > ChatSecure, and have that available for ALL platforms, with > professional usability and no glitches. > > But then again maybe it's time to kiss federation good-bye. > XMPP comes not only with a lot of problems of its own that you > can read about at http://about.psyc.eu/XMPP - it also shares > the fundamental architecture problem with PSYC being the > federation of servers. When we designed those protocols we > made the fatally wrong assumption that servers are neat, cool, > sweet and most of all SAFE. Also back in the 90s we didn't > have DHTs yet. Fifteen years later it is overdue to admit that > XMPP, SMTP and other federation protocols were designed to a > paradigm which no longer is recommendable. We should improve > those technologies that provide not only end-to-end encrypted > messaging, but also metadata protection and defense against > attacks on single points of failure like jabber.ccc.de. > > http://secushare.org/comparison lists a few platforms that are > heading in the right direction. I need to add blockchain > apps to that soonish, as Bitmessage seems to function and I'm > no longer sure it can't scale. Maybe it actually could. Please > let's get off XMPP+OTR soon and not invest huge amounts of > energy just to get rid of the bugs. > > And let's stop talking about open standards for free software. > Open standards are only important when we HAVE to deal with > some company dominating the field with its proprietary tool. > As long as we do not need to interact with any proprietary > thing, we can avoid impeding development by standardization. > > Just think how useful it would have been to spread cat gifs > over XMPP if XMPP weren't so impractical for binary data. > Instead it sucks, so nobody does it. > > It's crazy for our civil liberties and the foundations of > democracy to be using either Facebook or Google for personal > conversations, so we should not work on an open standard that > includes those platforms. So we don't need to focus on an open > standard. We just need running AGPL code, which implies a free > protocol by definition. > > -- > http://youbroketheinternet.org > ircs://psyced.org/youbroketheinternet > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > [email protected]. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
