Folks, I really need your help.
I've been asked to give a talk next Wednesday to the Internet Architecture Board - the senior panel of the IETF - about the changes we made to encryption on the XMPP network. When I say "I've been asked", I quite clearly mean "They asked lots of more sensible people first but they all said no" - and I'm very much aware I'm acting as a mouthpiece for the community here. Thijs Alkemade, who maintains the awesome xmpppoke software that powers the IM Observatory on xmpp.net, has given me bucket-loads of beautifully graphed data, so I've got the "hard" facts I need to build a story out of. But hard facts only take us some of the way. I'm interested in highlighting why operators chose to enable encryption, make it mandatory, and other security choices. Stories of the challenges you guys faced, and what compromises you felt forced to make, and so on are also going to be very interesting to the audience. Human factors in your choices are just as interesting as technical ones - a lot of what we do is around people communicating, so impact to that fundamental ability is of course important. Facts and figures are welcome if you have them, anecdotes are good either way. The IAB is mostly interested in opportunistic encryption - self-signed certificates etc - but I'd like to talk about the challenges that CAs introduce, and discuss DNSSEC, DANE, POSH, PFS, and so on, too. In many respects, I'm hoping that this is a chance for the XMPP community to really influence the future strategy of security on the Internet - we've clearly managed a huge amount in a very short time, and we're substantially more advanced in many ways than other communities. I'll end this as I begun - I *really* need your help, so please either send me a mail at d...@cridland.net or reply to this with your comments. Dave.
