[Juser] jabber encryption extension

Michael Reichenbach michael_reichenbach at freenet.de
Thu Jan 3 10:57:02 CST 2008


Not much client developers seamed to "like" the official jabber protocol 
encryption extension. I think this because them did not implement it.

Most either implemented their own implementation of OpenPGP or the most 
used encryption method for jabber clients so far is OTR.

I am not skilled enough in cryptography to look really deep under the 
hood of OTR. But it`s features (encryption, authentication, deniability 
and Perfect forward secrecy) seams the be better (or better said more 
modern). OTR seams to be more practical for instant messengers then PGP.

OTR is also very easy to set up (compared to OpenPGP). For friends in 
real life you just meet them and verify their fingerprint, another 
method is the shared secret (I prefer the first method).

If you want strangers to contact you with encryption enabled you would 
need to post your fingerprint singed with pgp somewhere.

Or the most worse method, you just blindly accept the fingerprint of 
strangers. That`s better then no encryption at, not 100% secure but you 
will know that it`s always the same one you are talking to (except when 
there is a mitm from the first time which is unlikely and if so you can 
still verify the correct fingerprint later if you feel need for).

Currently OTR is only for instant messages. Not for group chats, 
filetransfer, audio or video (last two things may be technically 
impossible with OTR features).

My point is, developers seam to like OTR more then the official protocol 
extension of jabber.

So now my question is, why you don`t drop the not used protocol 
extension and use OTR instant as the official extension? I am not 
afflicted with the OTR team in any way, but I guess them would also 
prefer this.



More information about the JUser mailing list