[jdev] end-to-end encryption -- making it happen

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Tue Jan 9 14:11:11 CST 2007

On Tuesday 09 January 2007 11:33 am, Peter Saint-Andre wrote:
> It's time for us to get serious about end-to-end encryption (e2e).
> Ian Paterson has been working hard on specs for e2e. I think we now have
> the pieces in place for strong e2e between any two users, in a way that
> even Aunt Tillie can use. Now we need to make it happen.

I read through the XEPs, and my initial reaction is ... holy smokes this is a 
lot of material!  And we're worried programmers will have trouble parsing 
CPIM? :)

I think the e2e XEPs may be great in the long term, but it will be years 
before this is implemented widespread.  First, we need thorough security 
reviews of all the specifications by multiple parties.  Then we can 
implement, and that will take time too.  Just to bring reality home here..  
show of hands for developers even doing certificate validation with TLS?

Also, Ian also has a tendency to incorporate bleeding edge security algorithms 
and procedures, that I'm not sure have received proper scrutiny..

The main thing I'd like to see are some security reviews by people who 
actually design and implement crypto.  Let's hear from Peter Guttman or Eric 
Rescorla.  We need prominent members in the security community that not only 
will do a basic error check, but will also ask important questions like, "why 
the hell are you doing it this way?" :)

I'll be implementing RFC 3923 until then.


More information about the JDev mailing list