[Standards] Fwd: e2e encryption
Peter Saint-Andre - &yet
peter at andyet.net
Tue Feb 17 19:47:50 UTC 2015
FYI, I sent this to the IETF's XMPP WG list last week...
-------- Forwarded Message --------
Subject: e2e encryption
Date: Fri, 13 Feb 2015 10:49:58 -0700
From: Peter Saint-Andre - &yet <peter at andyet.net>
To: XMPP Working Group <xmpp at ietf.org>
We're close to finishing all of our deliverables (6122bis, POSH, DNA)
other than end-to-end encryption ("e2e") - IMHO they can all be sent to
the IESG by, say, the end of April.
I know we plan to talk about e2e at IETF 92 in Dallas at the end of
March, but I figured it would be good to start a list thread before then.
To be blunt, we (narrowly the XMPP WG but more widely and importantly
the XMPP community) have failed to deliver an e2e technology. It's not
for lack of proposals over the years: PGP, S/MIME, XML encryption,
SIGMA, e2e TLS, OTR, and JOSE-based signing and encryption have all
flitted across the stage.
To also be blunt, I don't think we have the right people in the room
here to make significant progress on e2e. I don't think the XSF has had
the right people in the room, either. I am of the opinion that, in order
to move forward, someone - probably the XSF - needs to get all the
relevant client and library developers working together. By which I mean
writing code, experimenting with alternative approaches, meeting in
person for interop testing, hashing out spec details, etc. That will
require funding (which the XSF might be able to raise and provide),
dedicated energy among developers, and a real attempt to push forward
together as a community.
This isn't the place to make an organizing proposal for such an
initiative. Although it is possible that the IETF or the XMPP WG could
work in concert with the XSF or the XMPP developer community on such an
initiative, that has its own challenges. In any case, I don't think the
IETF can really find rough consensus until we have the relevant
developers engaged to write some running code.
Thus my suggestion is that we complete our other deliverables, shut down
the XMPP WG without delivering an e2e solution, and put our energy into
another venue where we'll have a greater chance of success on e2e. If
and when we have an e2e technology that really seems promising and has
the XMPP developer community on board with running code, then we can
always spin up another incarnation of the XMPP WG to adapt or review
that technology as a potential standard.
More information about the Standards