On Thu, Nov 07, 2013 at 08:53:38AM -0800, Matt Miller wrote: > > On Nov 7, 2013, at 7:20 AM, Alexander Holler <hol...@ahsoftware.de> wrote: > > > I think a realistic solution is to show users the state of their > > communication and therefor make the aware of the fact if e.g. a message > > is believed to have traveled secure or unsecure ways. > > > > That's already mentioned in the manifesto and I like that a lot. > > > > A possible solution could be to add an attribute to messages (or all > > stanzas) which details the used communication way and the used > > encryptions to transport that message/stanza. I don't know if such was > > already written down in an XEP, but I would like that a lot. > > > > That has came up in some side discussions at the IETF meeting in Vancouver. > XEP-0334, while specifically for <message/> stanzas today, might be able to > provide such a flag (e.g., <require-tls/> or some such).
Thanks for pointing me at that XEP. Looks nice. But I meant it more in a documentary way, something like (multiple) <received-through encryption=foo trust=bar/> where trust is something to qualify to certificate and encryption is obvious. That would not help against weak encryption, but it would make users aware that the transport for the message was believed to be trustworthy or not. Currently a user has no chance to see what way a stanza took. In regard to this, even e-mail is better (at least when one looks at the headers). Of course, to make it really usefull, xmpp-clients will have to display something like a level of trust/encryption for every message. Usually that level would be the lowest one of those <received-through/>. And how to transform that into something like (easy to read by normal people) "trust-points", could be specified by an XEP. Here I would suggest to make 0 the lowest number of trust/encryption with no upper limit. So if some new strong encryption would appear, it just would get a (possible new) number higher than those of the existing encryptions. The point here is to make it easy for users to spot if they used weak encryption without the need to be an expert in encryption. That would help to make people more sensible in regard to weak transports, because they would be able to see it without having to look at complicated headers, stanzas or attributes. Regards, Alexander Holler _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
