[Standards] OTR

Dave Cridland dave at cridland.net
Tue Feb 3 09:45:58 UTC 2015

On 3 Feb 2015 09:37, "Florian Schmaus" <flo at geekplace.eu> wrote:
> On 03.02.2015 10:04, Dave Cridland wrote:
> > On 2 Feb 2015 18:49, "Peter Saint-Andre - &yet" <peter at andyet.net
> > <mailto:peter at andyet.net>> wrote:
> >> On 2/2/15 5:22 AM, Hund, Johannes wrote:
> >>> Since it was undisclosed that even the NSA seems to have problems
> >>> breaking into OTR [1], it gained a lot of attention it seems and thus
> >>> does a good deal in supporting XMPP as a choice for applications with
> >>> high requirements in privacy and security as its often the case for
> >>> IoT applications.
> >>
> >>
> >> OTR secures only the character data of the XMPP <body/> element within
> > message stanzas. That's appropriate for IM but doesn't really help with
> > things like IoT (which often use extended namespaces).
> >>
> >
> > Exactly, and this is the kind of thing I was hoping that documenting the
> > current OTR usage in XMPP would show clearly.
> Isn't "documenting the current OTR usage in XMPP" simply
> <message …>
>  <body>
>     … put OTR stuff here …
>  </body>
> </message>

That's certainly the core of it, though the devil is usually in the
details. I suspect there's all sorts of weird stuff with multiple
resources, for instance, and html, and...

> where "OTR stuff" is defined at
> https://otr.cypherpunks.ca/Protocol-v2-3.1.0.html (I think most
> implementations use OTR v2) and
> https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html
> So OTR is IM protocol-agnostic. You can see how OTR tries to negotiate
> using whitespaces at the end of String within the </body> element at
> https://github.com/python-otr/gajim-otr/issues/9#issue-40676864
> I'm also not sure if, not only because it's IM protocol-agnostic, OTR
> would be a good fit for IoT. Some research in this direction would sure
> be interesting.
> - Florian

It'd be nice to have a document which held our consensus view on what OTR
in XMPP protects against, and what it fails to protect against, and how one
implements it. Currently it's one of those things that "everybody knows",
and I'm willing to admit that I am not "everybody".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20150203/741b23f5/attachment.html>

More information about the Standards mailing list