[jdev] OTR (was: Re: State of the XMPP Clients?)

Matthew A. Miller linuxwolf at outer-planes.net
Wed Aug 17 14:17:34 UTC 2011

On Aug 17, 2011, at 07:57, Peter Saint-Andre wrote:

> More than that, OTR just works [tm]. We've had debates for many years about PGP, S/MIME, SIGMA-based encrypted sessions, XTLS, etc. But for as long as we've been having these interminable discussions, OTR has quietly been working in the real world -- field tested by thousands of users in a wide variety of clients, and seemingly resistant to attacks.

It just works™ because there's effectively only one implementation.  Really easy to interoperate if you're the only game in town!

> Instead of trying to invent something new, why don't we use something that has plenty of running code behind it?

1) At least PGP and S/MIME (CMS) have been around longer than (lib)otr, and there have been implementations that used PGP/GPG.  IMO, we didn't do a good job incorporating one of them, so they have "failed" us.
2) A single implementation means a single point of failure and compromise.  If XSF care enough about this, then maybe we should fund at least one implementation for a few platforms (e.g. C, ECMAScript, Java, Python).  Also, get the specs somewhere with an established IPR and governance policy.

- m&m

More information about the JDev mailing list