> -----Original Message----- > From: security-boun...@xmpp.org [mailto:security-boun...@xmpp.org] On > Behalf Of Peter Saint-Andre > Sent: 28 March 2009 12:21 AM > To: XMPP Security > Cc: Pete Resnick > Subject: Re: [Security] XMPP encryption summary from IETF 74 > > On 3/27/09 3:06 PM, Brendan Taylor wrote: > > On Fri, Mar 27, 2009 at 12:56:27PM -0600, Peter Saint-Andre wrote: > >> 1. Why Not Use OTR? > >> > >> ... > > > > It wouldn't be compatible with OTR, though. I doubt the official OTR > > library (as it exists now) would be able to handle it, and sending > > XOTR-encrypted messages through gateways wouldn't work. > > Right. If we were to go down that route, we'd need to work with the OTR > developers to make OTRv3, which would at the very least include a way > to > signal that the payload is (1) XMPP or (2) text.
Or indeed more transparent. Being able to have a local proxy to handle the XMPP data is a great idea, only: - The OTR guys didn't get the XMPP end of it right (more in the rant). - Having a binding for each and every protocol is just plain pointless. - You will never support them *all*. - Whitespace signalling is just plain nasty, and could be lost between XMPP servers. - Only necessary for closed-gardens (which people should forget about in any case). - Again, it can break XMPP. Given: - It would probably be able to traverse a XMPP-MSN gateway, which is way cool. - Any XMPP client is theoretically supported. They need to go the route of SASL where they define a protocol that you embed in your protocol in whichever way you deem necessary. They are actually in a good position to define an e2e encryption negotiation protocol (like SASL) for which the OTRv3 is a 'mechanism'. If they are really serious about it, they should approach the IETF at some point to get some RFCs laid down (I doubt the current iteration would have made it as-is as a RFC) - however, I suspect that I am leaving the scope of this mailing list. In any case, if someone (PSA?) is going to liaise with them I suppose I should 'ave my say. <rant>By the way, why was the *no* communication with the XMPP community when they went about implementing the XMPP layer for OTR? Or XML community for that matter - because the signalling goes beyond not working well with XMPP. Surely you would expect them to ask whether something would work or not (it probably wouldn't on the server I am *still* writing). Certainly, if we gave the hand (or the finger) their current attempt would have made sense, but I suspect we would have been more accommodating than that.</rant> > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/
