[jdev] end-to-end encryption -- making it happen
justin-keyword-jabber.093179 at affinix.com
Tue Jan 9 14:11:11 CST 2007
On Tuesday 09 January 2007 11:33 am, Peter Saint-Andre wrote:
> It's time for us to get serious about end-to-end encryption (e2e).
> Ian Paterson has been working hard on specs for e2e. I think we now have
> the pieces in place for strong e2e between any two users, in a way that
> even Aunt Tillie can use. Now we need to make it happen.
I read through the XEPs, and my initial reaction is ... holy smokes this is a
lot of material! And we're worried programmers will have trouble parsing
I think the e2e XEPs may be great in the long term, but it will be years
before this is implemented widespread. First, we need thorough security
reviews of all the specifications by multiple parties. Then we can
implement, and that will take time too. Just to bring reality home here..
show of hands for developers even doing certificate validation with TLS?
Also, Ian also has a tendency to incorporate bleeding edge security algorithms
and procedures, that I'm not sure have received proper scrutiny..
The main thing I'd like to see are some security reviews by people who
actually design and implement crypto. Let's hear from Peter Guttman or Eric
Rescorla. We need prominent members in the security community that not only
will do a basic error check, but will also ask important questions like, "why
the hell are you doing it this way?" :)
I'll be implementing RFC 3923 until then.
More information about the JDev