[jdev] manifesto 0.4

Jonas Wielicki xmpp-dev at sotecware.net
Wed Oct 30 18:21:24 UTC 2013

On 30.10.2013 18:08, Kevin Smith wrote:
> At the risk of derailing discussions or adding noise, it's worth noting
> that not everyone's opinion of what is insecure is the same and varies by
> context. I have worked with some XMPP systems where the connection method
> doesn't involve TLS that I would consider pretty secure.

These are not available on the public internet though and do not
federate in the “normal” IM XMPP network, are they?

> Service providers on the Internet will probably be fine with committing to
> all this stuff, but we should (IMNSHO) continue to stop short of suggesting
> to devs what their software needs to do by default (I think it's sensible
> to suggest things that need to be supported).

I think it's important that the standards which provide reasonable, or
even the best available, security for appliances put on the public
network and federating with the “normal” IM XMPP network are the
default. The reason is simple. Someone installing a service which can be
secure by the way it is set up or how the network works, without any
transport-layer encryption, will have the knowledge required to
reconfigure the server software and maybe even how to bulk-reconfigure
the client software.

As far as I take it, we're not talking about removing “insecure” options
altogether. Just make it hard for the average user to trigger them.
Thats the only way to get it secure for the average IM user, and that's
what the XMPP network should try to accomplish, I think.

But thats just, like, my opinion, man :)


More information about the JDev mailing list