On Oct 2, 2008, at 8:34 AM, Jonathan Schleifer wrote:
Anyway, as we're currently on that OOB vs. IBB thing for E2E: I think using OOB is bad. Direct connections are a leak of privacy
(I'm assuming that your loss of privacy is the other party getting your IP address)
Not necessarily. You are assuming OOB using direct connections I assume, and forgetting about mediated connections.
Besides, the entire discussion about E2E assumes that parties will use certificates and some sort of trust-upgrade mechanism. I would say that the information inside the certificate is probably more privacy- important than my IP address, but other might disagree.
I admit I find it hard to see how you can have a secure and *trusted* connection without loss of privacy. But I'm not an expert on security.
and not very reliable.
I don't understand why a direct or mediated TCP connection is less reliable than a C2S + S2S * 2 + C2S set of connections. I think a direct connection is the most reliable of them all because I've got instant notification when something goes wrong: the connection gets dropped.
I deal with lost stanzas everyday due to S2S fluctuations, and those problems go away with direct connections. Even mediated connections look better.
I think we should always use IBB for E2E, as long as it's only text. ICQ demonstrated back then HOW bad this is.
I encourage exactly the opposite, specially in a corporate environment. If I make sure the chat doesn't ever leave the local network, I reduce the risk of snooping considerable.
Just because its encrypted, safe is still a relative term to your paranoia level.
Best regards, -- Pedro Melo Blog: http://www.simplicidade.org/notes/ XMPP ID: [EMAIL PROTECTED] Use XMPP!