[jdev] OTR and Jabber - Clients wanted
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Tue May 31 16:40:05 CDT 2005
On Tuesday 31 May 2005 03:45 am, Florian 'fh' Holzhauer wrote:
> Hi List,
>
> I just wanted to ask if there are any Jabber-Clients besides Adium and
> Gaim which support OTR (http://www.cypherpunks.ca/otr/) or are at
> least planning to support it. I dont like Gaim and Adium is Mac-only,
> so I would be really happy if there are other clients out there.
>
> OTR impressed me much due to its advantages to GPG, and the fact that
> it works in the message itself which would allow me to communicate
> encrypted with an ICQ/AIM/whatever user if he is using an OTR capable
> client, too.
GPG works by single messages, OTR works as a session of messages. The
advantages to gain from OTR are really just the advantages to gain by using a
session-based protocol. That is: encryption, authentication, forward
secrecy. TLS, SSH, and JEP-0116 all have this. What OTR introduces is
deniability.
The main drawback to OTR is that it has its own PKI system. So you get
deniability, at the price of having to mess with fingerprints 100% of the
time, on keys you can't use for anything but OTR. To me, that's a step
backwards. It makes OTR even geekier than GPG.
In my opinion, it would have been a lot better for OTR to utilize GPG for the
public keys. Then instead of competing systems, each with advantages and
drawbacks, we would have a single system with all combined advantages.
But anyway, to answer your question: I am investigating ways to improve Jabber
encryption, but I'm not ready to approve of OTR.
-Justin
More information about the JDev
mailing list