[jdev] OTR

Peter Saint-Andre stpeter at stpeter.im
Wed Aug 17 14:21:30 UTC 2011

On 8/17/11 8:17 AM, Matthew A. Miller wrote:
> On Aug 17, 2011, at 07:57, Peter Saint-Andre wrote:
>> More than that, OTR just works [tm]. We've had debates for many
>> years about PGP, S/MIME, SIGMA-based encrypted sessions, XTLS, etc.
>> But for as long as we've been having these interminable
>> discussions, OTR has quietly been working in the real world --
>> field tested by thousands of users in a wide variety of clients,
>> and seemingly resistant to attacks.
> It just works™ because there's effectively only one implementation.
> Really easy to interoperate if you're the only game in town!
>> Instead of trying to invent something new, why don't we use
>> something that has plenty of running code behind it?
> 1) At least PGP and S/MIME (CMS) have been around longer than
> (lib)otr, and there have been implementations that used PGP/GPG.
> IMO, we didn't do a good job incorporating one of them, so they have
> "failed" us.

Or we failed them, sure.

> 2) A single implementation means a single point of
> failure and compromise.


> If XSF care enough about this, then maybe we
> should fund at least one implementation for a few platforms (e.g. C,
> ECMAScript, Java, Python).  Also, get the specs somewhere with an
> established IPR and governance policy.

I'm working with the OTR folks to get an Internet-Draft published.


Peter Saint-Andre

More information about the JDev mailing list