[Standards-JIG] The Great Encryption Debate

Ian Paterson ian.paterson at clientside.co.uk
Thu Aug 4 22:04:33 UTC 2005


Justin wrote:
> One big issue I see is JEP-0116's complexity. There is a 
> lot of room for error here, fooling around with individual algorithms.

I agree.

If you bear in mind what JEP-0116 sets out to do, and the fact that it
does not rely on big high-level building blocks (like S/MIME or PGP),
IMHO it is a very simple protocol. But, as you pointed out, since OS
implementations of the big building blocks already exist, higher-level
protocols based on them may be easier to implement correctly in the real
world.

Then again, "it has become painfully clear that RFC 3923 is not going to
be widely implemented or deployed".

*If* someone implements a good-quality JEP-0116 library, then many
clients will benefit from a protocol that's being designed from the
ground up for Jabber IM.

Otherwise we're probably back to something like RFC 3923.

The good news is that, since JEP-0116 builds on the OTR concept, I hope
it won't be too difficult for someone to adapt the existing portable OTR
Messaging Library for JEP-0116. [Perhaps some of the OTR Gaim Plugin
code will be useful too?]

I'll be implementing JEP-0116 from scratch in JavaScript as soon as
we've resolved some of the protocol's "Open Issues", and once the
current round of feedback from this list (and from some security
experts) has been incorporated (hopefully next month). The lessons
learned should improve the protocol and, even if they can't use the
code, other developers will at least be able to test interoperability
with the JavaScript implementation.

- Ian




More information about the Standards mailing list