[Standards-JIG] Re: UPDATED: JEP-0136 (Message Archiving)

[Remko Troncon]

> Yes, but what if i use an old client which doesn't support the  
> feature at
> all ?
> Message are then not logged -> data loss

I don't think we can compromise security just because people use old  
clients. The most important part about specs is to make them easy to  
implement, so everyone adopts them immediately, even the 'simple'  
clients such as web clients. People using old software always pay the  
price of not having all features, i don't see why it should be  
different here (especially if security is at stake). Bug your client  
developers.

> Not really user friendly.
> Or is encryption reserved to geek ?

'User friendly' and 'geeky' are not opposites. This aside, security  
should be made as simple as possible, but not at the price of the  
security itself. If you start putting keys on servers, there's no  
security anymore, even for those who *are* experts. You might as well  
drop end-to-end security altogether then. For end-to-end encryption,  
all encryption and decryption should happen at the client.

An easy to use solution would be to have a security token which you  
just insert in your USB-port, and your client auto detects it and  
uses it for encryption. You put the token on your keychain with all  
your other keys, and you have security everywhere you go. Not  
something very common, but userfriendly nevertheless :)

cheers,
Remko