[Security] e2e requirements

Ian Paterson ian.paterson at clientside.co.uk
Sat Mar 24 11:47:46 CDT 2007


Mridul wrote:
> I am not as familiar with esessions as I would like to be, so it 
> likely that I am missing something.

I'm sure you're not alone. :-)

With full respect to everyone on this list. I think most people have 
(understandably) not bothered to read and understand the ESessions docs 
properly, and since crypto is very different to other XMPP protocols, 
most people are actually missing quite a lot.

I'd like to strongly encourage people here to find the time to read (in 
order) documents like OTR, SIGMA, ZRTP and XEPs 188, 116, 200.

Now, only the last two documents are necessary to implement ESessions 
*from scratch*. But if you want to contribute meaningfully to the 
decision-making process you'll probably want more in-depth knowledge 
than only that required to implement a crypto library. I'll try to help, 
but please seriously consider reading those documents (they're actually 
very interesting if you like that sort of thing).

The more you know, the more you know you don't know. Although I've 
always been very interested in crypto, and I spent several man-months 
over the last two years working on ESessions, I still class myself as 
"knowing enough to be dangerous". AFAIK ESessions is "secure", but I'm 
not yet sure because I'm not capable of conducting a full security 
review of the protocol myself. Happily there are (very few) crypto gurus 
who can do that for us. :-)

- Ian



More information about the Security mailing list