[Standards] Council Minutes 2020-02-19

Georg Lukas georg at op-co.de
Tue Feb 25 17:12:28 UTC 2020


* Tedd Sterr <teddsterr at outlook.com> [2020-02-19 18:15]:
> 3a) Last Call: XEP-0429 (Special Interests Group End to End Encryption) - https://xmpp.org/extensions/xep-0429.html

+1

> 3b) Proposed XMPP Extension: Simple JSON Messaging - https://xmpp.org/extensions/inbox/udt.html

+1 - It still has udt in the inbox name, the short name and some
mentions in the document and schma, but this can be fixed.

> 3c) Proposed XMPP Extension: Trust Messages - https://xmpp.org/extensions/inbox/trust-messages.html

+0 - this document lacks the Security Considerations section, which is
not only mandatory, but also very important for this kind of
specification. While it probably won't be a huge burden to add it, I'm
slightly cautious yet.

This is a good addition to the XSF portfolio, even if the underlying
protocols (I'm looking at you, OMEMO) aren't there yet.

However, this specification should be split into two (or three) distinct
use cases, based on the security implications:

a) informing your own devices of a trust decision: from/to must have the
same bare JID, key-owner may be own JID for when you add a new device or
a different JID for when you verified somebody's keys.

b) informing your contacts of a new device: key-owner must be your own
bare JID.

optional c) informing your contacts of a trust relationship you entered
- this is akin to the PGP web of trust, and it's full of trouble, so I
would suggest to explicitly forbid this use case.



Georg
-- 
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200225/b6af69b3/attachment.sig>


More information about the Standards mailing list