[Juser] jabber encryption extension

Peter Saint-Andre stpeter at stpeter.im
Thu Jan 3 11:29:34 CST 2008

Michael Reichenbach wrote:
> Not much client developers seamed to "like" the official jabber protocol 
> encryption extension. I think this because them did not implement it.
> Most either implemented their own implementation of OpenPGP or the most 
> used encryption method for jabber clients so far is OTR.
> I am not skilled enough in cryptography to look really deep under the 
> hood of OTR. But it`s features (encryption, authentication, deniability 
> and Perfect forward secrecy) seams the be better (or better said more 
> modern). OTR seams to be more practical for instant messengers then PGP.
> OTR is also very easy to set up (compared to OpenPGP). For friends in 
> real life you just meet them and verify their fingerprint, another 
> method is the shared secret (I prefer the first method).
> If you want strangers to contact you with encryption enabled you would 
> need to post your fingerprint singed with pgp somewhere.
> Or the most worse method, you just blindly accept the fingerprint of 
> strangers. That`s better then no encryption at, not 100% secure but you 
> will know that it`s always the same one you are talking to (except when 
> there is a mitm from the first time which is unlikely and if so you can 
> still verify the correct fingerprint later if you feel need for).
> Currently OTR is only for instant messages. Not for group chats, 
> filetransfer, audio or video (last two things may be technically 
> impossible with OTR features).
> My point is, developers seam to like OTR more then the official protocol 
> extension of jabber.
> So now my question is, why you don`t drop the not used protocol 
> extension and use OTR instant as the official extension? I am not 
> afflicted with the OTR team in any way, but I guess them would also 
> prefer this.

We have looked at OTR but we concluded that it's not very compatible 
with Jabber. The Encrypted Sessions technology we developed is in fact 
very similar to OTR, but it has a few key differences, including the 
ability to encrypt the entire packet (not just the message text). This 
is important for things like Jingle negotiation (you don't want to 
expose your IP addresses), XHTML-formatted messages, and so on.

I agree with you that client developers don't seem to be enthusiastic 
about end-to-end encryption. In fact, few clients have added support 
even for OpenPGP. OTR is relatively popular because there is a single 
library that client developers can use to develop plugins for Pidgin, 
Adium, etc. Maybe what we need to do is develop a single good library 
for encrypted sessions and encourage client developers to use that...


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/juser/attachments/20080103/08aa540c/attachment-0003.bin>

More information about the JUser mailing list