[Standards] OTR

Carlo v. Loesch CvL at mail.symlynX.com
Tue Feb 3 17:49:20 UTC 2015

On Tue, Feb 03, 2015 at 02:22:33PM +0100, Ralph Meijer wrote:
> I think everyone in our community knows that XMPP, as currently
> designed, has no simple mechanism to obscure who's communicating with
> whom. Going into more detail, federation as in e-mail or XMPP has this
> problem in both extremes: if everyone is running their own server
> (instead of a cloud service that could be compromised by a government
> agency), the number of people associated with such a server is likely to
> be low, making it easier to find out who's behind it.

Thanks for the ack, Ralph.

> However, that is just one threat model, one that someone may or may not
> find important enough to fix. Efforts to address other threat models
> (like secrecy of messages themselves) are not suddenly worthless if you
> can't hide who's communicating. Also, documenting current practise still
> seems a great idea, to me.

The problem here is that far too many people are investing time in the
old communications model, be it applying crypto to SMTP or XMPP. And
yet should one day, against the odds of disinterest or distraction, an
actually functional distributed communications network arise, serving
a better job at both messaging and social networking than even the cloud
systems, how much does it matter, that SMTP or XMPP are safe from the
perspective of some lesser threat models? It reminds me a bit of all the
effort that went into digital fax technology. With my ISDN router came
the ability to send fax directly from the word processor and to receive
fax in text form thanks to automatic OCR. Yet, all the world switched to
e-mail anyway. Why should they stick to a fax system even if it was
fully integrated into the computing experience?

Also, what lesser threat models can make sense? The exercise of democracy
depends on constitutional freedoms like Secrecy of Correspondence and
Freedom of Association (= metadata protection). With technology that has
within only twenty years turned all democratic populations on Earth into
fully surveillable and predictable populace, can there be any more
important threat model? What's the use for a Syrian dissident that Google
is on her side if in ten years later all her activity data can be handed 
over to the then possibly pro-Western government of Syria?

I know these people are better served with something now than too late,
but that's what they already have. The next thing they need is something 
that defends metadata - the foundation for forming a political opposition,
the essential capacity of renewal of democracy. If we leave metadata up
for grabs, we are co-responsible for a slippery slope towards global
dismantlement of democracies. It doesn't take any evil conspiracies -
it's the technology enabling and leading the way to hell.

That's why I suggest you should not spend further years trying to 
get at so-called low-hanging fruit which each time ends up not hanging 
low at all (multi-end OTR is such a case) while there are new paradigms
of Internet technology out there, waiting to be fleshed out and given
a chance to protect humanity from itself. That stuff needs people
like you.

  E-mail is public! Talk to me in private using Tor.
  torify telnet loupsycedyglgamf.onion		DON'T SEND ME
          irc://loupsycedyglgamf.onion:67/lynX  PRIVATE EMAIL
         http://loupsycedyglgamf.onion/LynX/    OR FACEBOOGLE

More information about the Standards mailing list