[jdev] OTR (was: Re: State of the XMPP Clients?)
Matthew A. Miller
linuxwolf at outer-planes.net
Wed Aug 17 14:17:34 UTC 2011
On Aug 17, 2011, at 07:57, Peter Saint-Andre wrote:
> More than that, OTR just works [tm]. We've had debates for many years about PGP, S/MIME, SIGMA-based encrypted sessions, XTLS, etc. But for as long as we've been having these interminable discussions, OTR has quietly been working in the real world -- field tested by thousands of users in a wide variety of clients, and seemingly resistant to attacks.
It just works™ because there's effectively only one implementation. Really easy to interoperate if you're the only game in town!
> Instead of trying to invent something new, why don't we use something that has plenty of running code behind it?
1) At least PGP and S/MIME (CMS) have been around longer than (lib)otr, and there have been implementations that used PGP/GPG. IMO, we didn't do a good job incorporating one of them, so they have "failed" us.
2) A single implementation means a single point of failure and compromise. If XSF care enough about this, then maybe we should fund at least one implementation for a few platforms (e.g. C, ECMAScript, Java, Python). Also, get the specs somewhere with an established IPR and governance policy.
More information about the JDev