[Standards] e2e privacy for XMPP Re: RFC 3923 (e2e with S/MIME) and OpenPGP

Peter Saint-Andre stpeter at stpeter.im
Tue Nov 19 20:12:27 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/19/13 12:56 PM, Philipp Hancke wrote:
> [...]
>>> Having no federation at least doesn't introduce yet another 
>>> huge possibility for security problems and as long as you own
>>> the source code and aren't forced to use anybody's specific
>>> offering it is highly inadeguate to call such a software a
>>> silo.
>> 
>> In case others are not yet aware: #youbroketheinternet is not
>> only explicitly opposed to federation but not even interested in 
>> interoperability with federated communication networks.
> 
> There is the hypothesis that any federated network tends to
> cluster around a number of large nodes. E.g. for XMPP this would be
> gmail, jabber.org, jabber.ccc.de (applause to their efforts on
> making themselves unreliable!), ...

This is true even of unfederated networks (Facebook, Twitter,
LinkedIn, Skype, the current crop of cool new mobile chat apps). My
hypothesis: human beings are herd animals and prefer to flock together
in large numbers. "Are you on hot-new-service-X?" It's much easier to
think and act that way than to strike out on your own.

> Interdomain federation is hard, especially delivering the same
> user experience as between users on the same domain.

This is a huge factor. It's much easier to offer a consistent and
quality experience if you control both ends of the pipe (I'm not
saying it's easy, and I think the people who run these large,
monolithic services deserve our admiration even though I prefer a more
federated, decentralized approach). Most people always complain about
how there's no great email client, no great IRC client, no great
Jabber client, and so on (don't even get me started on SIP clients!)
- -- with plenty of justification.

Now, there's a lot that we could do to make things easier for those
who would consider deploying federated services -- servers that are
easier to run, clients that offer a better user experience, a higher
level of security, etc. One reason for the ubiquitous encryption
manifesto is that I think we owe it to our users to at least offer
better security. But easier servers and clients are part of the
picture too.

Some argue that this is all a waste of time and that it would be more
productive to start again (as Carlo says, redesign the entire stack).
I have a great deal of sympathy with that attitude, and I do think
that eventually we'll need to replace a lot of what we have now (even
at the physical and link layers, e.g., more open hardware, wireless
mesh links instead of centralized ISPs). But this is going to take a
long time, and until we have more of that built out IMHO we need to do
what we can to better secure the current generation of federated
technologies.

Let the conversation continue... :-)

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSi8YqAAoJEOoGpJErxa2pRIoQAK13kxdis9J72hQ36duipHGZ
r+/BIRyvyup2wUldZ7d5VmKnXtTGdGvs/jkwRuCBQxkMwaLATG/EXnNH8h3c2THo
OtkZCDP5fTMsUC6ZRnIrjv4B/bQTKTjhkq1L41ez7Xss05JowZrEMU2jMnGk9NDt
934INBg8D2E8UyiitALXu0kkeJ8kDjXO8svj03p9U8zSmHbi0TAJGc+mV79KF3qP
BlbavkbDCTnr9AxmrSm1CvHt7owH+hyYPMVF7qOxpDlvgdtyK+B0xuWR9n42PDEM
SAqe3os8P4lG/FRBiLeYh5oAvcLgr2D7SpEdMrZsyMossrSbACq6clv/769VDpwC
dFOSWBeWRwHgRSYGCMLAq/e1UiHFI7I5vK7tjyn4ThlTn11dPT8G1K6N5R5ToP3T
N1fR8pZCtIHVR+gyg1mVROS8ojdpOYPB+bsgV4d5P5Oq8wmJ/HUd1v/LlPm9EOcw
vdEoe3R/vsDTvbDdh1cLJIq6BjYR1hlK2tABKuvUrCFJEgew5pHv2clXVGxC/E3i
MR6MCSNpbUWZvIykRVBPNzZytX2oh4H0vuRSs1WBaJGkrEYTWqLoTdV8wasmM3GK
KCDBsyTHJZEP+wgy3zRbYAoP+TAq2hHawY9pvqxNdh6lHluZRNPjK7GAEZQFXAgH
5rpZsw/xqTt5Tgat7o9D
=gyyJ
-----END PGP SIGNATURE-----



More information about the Standards mailing list