[Standards] e2e privacy for XMPP Re: RFC 3923 (e2e with S/MIME) and OpenPGP

Peter Saint-Andre stpeter at stpeter.im
Tue Nov 19 20:12:27 UTC 2013

Hash: SHA1

On 11/19/13 12:56 PM, Philipp Hancke wrote:
> [...]
>>> Having no federation at least doesn't introduce yet another 
>>> huge possibility for security problems and as long as you own
>>> the source code and aren't forced to use anybody's specific
>>> offering it is highly inadeguate to call such a software a
>>> silo.
>> In case others are not yet aware: #youbroketheinternet is not
>> only explicitly opposed to federation but not even interested in 
>> interoperability with federated communication networks.
> There is the hypothesis that any federated network tends to
> cluster around a number of large nodes. E.g. for XMPP this would be
> gmail, jabber.org, jabber.ccc.de (applause to their efforts on
> making themselves unreliable!), ...

This is true even of unfederated networks (Facebook, Twitter,
LinkedIn, Skype, the current crop of cool new mobile chat apps). My
hypothesis: human beings are herd animals and prefer to flock together
in large numbers. "Are you on hot-new-service-X?" It's much easier to
think and act that way than to strike out on your own.

> Interdomain federation is hard, especially delivering the same
> user experience as between users on the same domain.

This is a huge factor. It's much easier to offer a consistent and
quality experience if you control both ends of the pipe (I'm not
saying it's easy, and I think the people who run these large,
monolithic services deserve our admiration even though I prefer a more
federated, decentralized approach). Most people always complain about
how there's no great email client, no great IRC client, no great
Jabber client, and so on (don't even get me started on SIP clients!)
- -- with plenty of justification.

Now, there's a lot that we could do to make things easier for those
who would consider deploying federated services -- servers that are
easier to run, clients that offer a better user experience, a higher
level of security, etc. One reason for the ubiquitous encryption
manifesto is that I think we owe it to our users to at least offer
better security. But easier servers and clients are part of the
picture too.

Some argue that this is all a waste of time and that it would be more
productive to start again (as Carlo says, redesign the entire stack).
I have a great deal of sympathy with that attitude, and I do think
that eventually we'll need to replace a lot of what we have now (even
at the physical and link layers, e.g., more open hardware, wireless
mesh links instead of centralized ISPs). But this is going to take a
long time, and until we have more of that built out IMHO we need to do
what we can to better secure the current generation of federated

Let the conversation continue... :-)


- -- 
Peter Saint-Andre

Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Standards mailing list