On Thu, 2 Oct 2008 12:46:52 +0100 Pedro Melo <[EMAIL PROTECTED]> wrote:
> > On Oct 2, 2008, at 8:34 AM, Jonathan Schleifer wrote: > > Anyway, as we're currently on that OOB vs. IBB thing for E2E: I > > think using OOB is bad. Direct connections are a leak of privacy > > (I'm assuming that your loss of privacy is the other party getting > your IP address) > > Not necessarily. You are assuming OOB using direct connections I > assume, and forgetting about mediated connections. > > Besides, the entire discussion about E2E assumes that parties will > use certificates and some sort of trust-upgrade mechanism. I would > say that the information inside the certificate is probably more > privacy- important than my IP address, but other might disagree. +1 If you don't want your IP to be known, you can still do that. > I admit I find it hard to see how you can have a secure and > *trusted* connection without loss of privacy. But I'm not an expert > on security. Secure connections just requires mutual authentication. > > > and not very reliable. > > I don't understand why a direct or mediated TCP connection is less > reliable than a C2S + S2S * 2 + C2S set of connections. I think a > direct connection is the most reliable of them all because I've got > instant notification when something goes wrong: the connection gets > dropped. > I am very much for direct connections where possible if we're dealing security and/or performance. Sensible decentralization is already XMPP's advantage. > I deal with lost stanzas everyday due to S2S fluctuations, and those > problems go away with direct connections. Even mediated connections > look better. Good then. > > > I think we should always use IBB for E2E, as long as it's only > > text. ICQ demonstrated back then HOW bad this is. > > I encourage exactly the opposite, specially in a corporate > environment. If I make sure the chat doesn't ever leave the local > network, I reduce the risk of snooping considerable. > Correct, ICQ didn't demonstrate anything of this sort. I encourage the opposite in all environments except maybe very special ones. Corporate environment should though have its own XMPP server. > Just because its encrypted, safe is still a relative term to your > paranoia level. Yep. Somewhere it was unencrypted and somewhere it will be decrypted again. Hopefully only by the right recipient :). Pavel -- Pavel Šimerda Freelancer v oblasti počítačových sítí, komunikace a bezpečnosti Web: http://www.pavlix.net/ Jabber & Mail: pavlix(at)pavlix.net OpenID: pavlix.net
