[Pidgin] EndToEndXMPPCrypto modified

Pidgin trac at pidgin.im
Sat Jan 25 20:39:38 EST 2014


Page "EndToEndXMPPCrypto" was changed by elb
Diff URL: <https://developer.pidgin.im/wiki/EndToEndXMPPCrypto?action=diff&version=2>
Revision 2
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: EndToEndXMPPCrypto
=========================================================================
--- EndToEndXMPPCrypto (version: 1)
+++ EndToEndXMPPCrypto (version: 2)
@@ -12,3 +12,15 @@
  * '''Protocol-agnostic.'''  While this is a feature in some sense, it is also limiting.  OTR, for example, is a successful, portable, and secure protocol with many features going for it.  However, its protocol agnosticism is both a strength and a weakness.  It's great to be able to secure conversations over a variety of networks, both open and proprietary, but lack of protocol integration means that, for example, advertising OTR capability through XMPP presence is not supported.  (To my knowledge, at least!)
  * '''Reliance on SSL PKI.'''  Similar to proprietary protocols, this is an obvious non-starter.  Who trusts those guys?
  * '''Limited third-party authentication functionality.'''  Most or all existing protocols provide only limited support for authenticating an interlocutor's keys.  In some cases the keys are used only for the protocol in question, and verification is provided only by the client itself.  Some protocols use exclusively a specific third-party authentication mechanism (e.g., GPG or x.509 certificates with CA signatures).
+
+== Desiderata ==
+
+I consider these features essential to a protocol that satisfies this call:
+
+ * '''Strong authentication.'''  All data exchanged via the protocol should have strong authentication.  Not all data may be encrypted, but all data should be authenticated.
+ * '''XMPP Presence integration.'''  This means that XMPP presence stanzas for a client supporting the protocol should provide, at a minimum:
+  * Notification that the client supports e2e encryption
+  * Public key material or equivalent information, or a method to retrieve it
+  * A cryptographically secured authentication mechanism for the above items (may, in this case, be a self-signature using the key material itself)
+ There may be additional room for integration here; for example, authentication of the basic presence information is also desirable, but I do not consider it a strict requirement.
+ * '''Streamlined one-on-one Chat.'''  An equivalent protocol to the XMPP simple <message> stanza with a cleartext <body>, only encrypted and authenticated.  The point of this protocol is to minimize overhead for typical one-on-one chat, for the benefit of mobile and bandwidth- or computationally-constrained clients.
-------8<------8<------8<------8<------8<------8<------8<------8<--------

--
Page URL: <https://developer.pidgin.im/wiki/EndToEndXMPPCrypto>
Pidgin <https://pidgin.im>
Pidgin

This is an automated message. Someone added your email address to be
notified of changes on 'EndToEndXMPPCrypto' page.
If it was not you, please report to datallah at pidgin.im.


More information about the Wikiedit mailing list