On Mon, Apr 29, 2013 at 6:21 PM, Tommaso Cucinotta <tomm...@lyx.org> wrote: > On 30/04/13 00:11, Nico Williams wrote: >> But do you want to reuse an OTR >> implementation? > > The question is why OTR, but perhaps the answer is simply that is already > made to be compatible with messaging protocols.
OTR is the only open protocol that exists today for end-to-end authenticated encryption over IM. There's also Apple's iMessage, but that's proprietary. Neither XMPP, nor AIM, nor IRC, ... provide the same feature. Hmmm, I may tell a lie: there's also SILC, but I know little about it and it's very niche. Merely using XMPP with TLS does not provide end-to-end security. Mind you, even with OTR, most users never bother authenticating each other, I think, and so they end up with potential men-in-the-middle (MITMs). But at least they can authenticate (and detect the MITMs), and if they don't they still get protection from passive eavesdroppers, no matter what the XMPP fabric does in the middle. > However, security may be one of the optional add-on / separate work-items / > fine things we do if we get everything else working properly. Right, but if you use a library that already has OTR then you're good to go. Well, that's another lie: you still need to provide a UI for OTR, but that goes with using XMPP (or whatever) in the first place too. Nico --
