[Security] e2e requirements
Ian Paterson
ian.paterson at clientside.co.uk
Sat Mar 24 11:47:46 CDT 2007
Mridul wrote:
> I am not as familiar with esessions as I would like to be, so it
> likely that I am missing something.
I'm sure you're not alone. :-)
With full respect to everyone on this list. I think most people have
(understandably) not bothered to read and understand the ESessions docs
properly, and since crypto is very different to other XMPP protocols,
most people are actually missing quite a lot.
I'd like to strongly encourage people here to find the time to read (in
order) documents like OTR, SIGMA, ZRTP and XEPs 188, 116, 200.
Now, only the last two documents are necessary to implement ESessions
*from scratch*. But if you want to contribute meaningfully to the
decision-making process you'll probably want more in-depth knowledge
than only that required to implement a crypto library. I'll try to help,
but please seriously consider reading those documents (they're actually
very interesting if you like that sort of thing).
The more you know, the more you know you don't know. Although I've
always been very interested in crypto, and I spent several man-months
over the last two years working on ESessions, I still class myself as
"knowing enough to be dangerous". AFAIK ESessions is "secure", but I'm
not yet sure because I'm not capable of conducting a full security
review of the protocol myself. Happily there are (very few) crypto gurus
who can do that for us. :-)
- Ian
More information about the Security
mailing list