[jdev] Any thoughts on implementing end to end message encryption?

[Peter Saint-Andre]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/12 4:49 PM, mat henshall wrote:
> We have an application that needs to be able to encrypt and sign 
> messages and IQ stanza's that contain custom elements 'end to end'
> from one client to another, possibly across multiple federated
> services.
> 
> Looking at RFC 3923, ther seems to be very little practical
> application of this specification.
> 
> Is there any reason?
> 
> Should I ignore this? If so what would the community suggest?

We've tried 5+ times to build end-to-end encryption. We've failed each
time.

1. PGP (XEP-0027) - never widely adopted, who has PGP keys?

2. SMIME+CPIM (RFC 3923) - checking off a security box for the IETF

3. xmlenc (never documented) - might be used somewhere, but those
people aren't talking

4. ESessions (XEP-0116) - implemented once, no other adoption

5. XTLS (draft-meyer-xmpp-e2e-encryption) - experimental, didn't move
forward

At this point I think there are other solutions under discussion:

6. OTR - http://www.cypherpunks.ca/otr/

7. XMPP e2e - draft-miller-xmpp-e2e

I sure hope we'll settle on one of those before the heat death of the
universe. Your feedback is welcome. :)

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCi9cEACgkQNL8k5A2w/vy+ygCfYVRu0YZBMdwyDP30h1keLurc
5wwAoItpAnu7E4OiLZraazOpWwnKx+dV
=PkuA
-----END PGP SIGNATURE-----