On 26/02/13 14:50, Jon Kristensen wrote: > In the process of prototyping Yabasta, I have "designed" an OTR-like > protocol[3] that, while based on OTR, differs from OTR in a number of > ways. [...] any XML payloads can > be protected (not just message bodies).
That seems a lot more XMPP-ish than "plain OTR", and addresses a concern I've always had about OTR (that it's defined in terms of a stream of plain-text messages, making it protocol-agnostic but unable to interact with individual protocols' features). However, if this is not wire-protocol-compatible with "real OTR", does it have any particular advantages over previous XMPP work on end-to-end TLS, with X.509 certificates that are typically self-signed and used mainly as a vehicle for key material? My understanding had been that the main advantage of OTR over TLS is that it gets some "network effect" from the OTR Pidgin plugin being somewhat widely-deployed; if that advantage isn't present, would it be better for security to reuse widely-tested TLS libraries (OpenSSL, GNUTLS etc.) rather than trying to get all the subtleties of crypto right in domain-specific code? Which of the security properties desired by <https://tools.ietf.org/html/draft-ietf-xmpp-e2e-requirements-01> does this OTR-like protocol have, and does it have any more that are desirable but not specified in that document? (For that matter, which does OTR have?) It seems to me as though many of OTR's frequently-stated advantages (such as perfect forward secrecy and repudiability) are advantages over older techniques like individually PGP-signing messages (XEP-0027, which has many other flaws), but are not advantages over TLS, which shares those properties. Is this the case? Last time I looked at supporting OTR and/or XTLS in the Telepathy framework, I wrote <http://lists.freedesktop.org/archives/telepathy/2012-June/006122.html> and <http://lists.freedesktop.org/archives/telepathy/2012-June/006135.html> to try to articulate what our goals for end-to-end encryption might be, and which of those goals are satisfied by each of XTLS and OTR. As far as I could work out in message 006135, XTLS offers just as much deniability as OTR (anyone who can understand a message stream enough to cite it as evidence of a conversation could also have faked the entire conversation). Is this the case, or was I missing something important? Regards, S
