Hey everyone, there is currently some momentum towards bringing better end-to-end encryption to XMPP, namely the OMEMO and the new OpenPGP XEPs. However, what is still missing is a unified way of exchanging keys and, maybe even more importantly, signatures.
I saw that in the Conversations client there already is a basic mechanism for signing OMEMO keys with a x.509 certificate. I took the freedom to go one step further and write down a (very) early draft of how a XEP could look like which specifies a process of signing keys with other keys and publishing those signatures. This way, for example, Alice could use an existing OpenPGP key to sign a new OMEMO key (that may reside on another device) and publish the signature so that Bob, who may already have trust in Alice's PGP key, doesn't have to manually verify the new key as well. I have written down some more use cases in the XEP draft. It would be great if some of you could give some feedback on whether you think the ideas therein are any good or if you agree that there is indeed need for such a specification. Please keep in mind that this is a very early draft and any feedback is welcome! I also really don't cling on any of the technical solutions proposed therein, so if you think there are more elegant ways to solve the issues addressed by this XEP, I would love to hear them. After all, the reason I posted this XEP in such an unfinished state is to gather some input on the topic... A first rendered version can be found here: http://fabianbeutel.de/stuff/xmpp/ksev/xep-ksev.html The source is on github: https://github.com/fbeutel/xep-ksev Specifically I would be interested in hearing some feedback on the following points: - Do you think it makes sense to separate metadata and data on the pubsub node in the way it is proposed here? Or does that impose too many round trips? I included it here, because keys and certificates can be quite large... - Should the XEP secify a way of publishing keys as well (as opposed to just signatures), considering that the OMEMO and OpenPGP specs already have ways of doing that? I thought it was the easiest solution to include it in the XEP, so that we have a well-defined terminology when talking about key ids etc. Finally, please be mild when judging the XEP draft, as this is my first attempt at formulating a XEP :) Best regards, Fabian _______________________________________________ Standards mailing list Info: http://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
