On Mon, Oct 12, 2009 at 05:31:03PM -0400, Will Thompson wrote: > Hi, > > h...@the Boston Gnome Summit, Sjoerd, Rob and I stood around a > blackboard drawing pictures[0] of how encrypted channels (using XTLS on > XMPP, for instance) would look. Vague summary:
Thank you very much for looking at this. > We then discussed various ways we could implement OTR support in > Telepathy, ideally using the same API as for XTLS channels: > > 1. Build OTR support into the necessary CMs (Gabble, Butterfly, Haze) > and implement the same API as for XTLS. I, for one, think XTLS is potentially a really bad idea. The security model of TLS is wrong and unworkable. Relying on any kind of trusted central authority to verify identity is a bad way to go. The ssh model for identity verification works much better. And that's the model OTR uses. Essentially remember the key you used when you talked to someone and verify they are using the same key when you talk to them again. And also provide a convenient way for verification through a more trusted channel. I do believe that TLS only uses a MAC for ensuring that every individual message makes it through unscathed, and so TLS provides a similar level of deniability to OTR as far as being able to claim the other party made up the conversation. I know that this particular message isn't particularly germane to the internal imeplementation details of how to make OTR work inside of empathy. But it is relevant to the question of encryption in empathy as a whole. Again, thanks for working on this, it is appreciated, -- Eric Hopper ([email protected] http://www.omnifarious.org/~hopper)
pgpdas9iy55ZS.pgp
Description: PGP signature
_______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
