On 3 Feb 2015 09:37, "Florian Schmaus" <f...@geekplace.eu> wrote: > > On 03.02.2015 10:04, Dave Cridland wrote: > > On 2 Feb 2015 18:49, "Peter Saint-Andre - &yet" <pe...@andyet.net > > <mailto:pe...@andyet.net>> wrote: > >> On 2/2/15 5:22 AM, Hund, Johannes wrote: > >>> Since it was undisclosed that even the NSA seems to have problems > >>> breaking into OTR [1], it gained a lot of attention it seems and thus > >>> does a good deal in supporting XMPP as a choice for applications with > >>> high requirements in privacy and security as its often the case for > >>> IoT applications. > >> > >> > >> OTR secures only the character data of the XMPP <body/> element within > > message stanzas. That's appropriate for IM but doesn't really help with > > things like IoT (which often use extended namespaces). > >> > > > > Exactly, and this is the kind of thing I was hoping that documenting the > > current OTR usage in XMPP would show clearly. > > Isn't "documenting the current OTR usage in XMPP" simply > > <message …> > <body> > … put OTR stuff here … > </body> > </message> >
That's certainly the core of it, though the devil is usually in the details. I suspect there's all sorts of weird stuff with multiple resources, for instance, and html, and... > where "OTR stuff" is defined at > https://otr.cypherpunks.ca/Protocol-v2-3.1.0.html (I think most > implementations use OTR v2) and > https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html > > So OTR is IM protocol-agnostic. You can see how OTR tries to negotiate > using whitespaces at the end of String within the </body> element at > https://github.com/python-otr/gajim-otr/issues/9#issue-40676864 > > I'm also not sure if, not only because it's IM protocol-agnostic, OTR > would be a good fit for IoT. Some research in this direction would sure > be interesting. > > - Florian > It'd be nice to have a document which held our consensus view on what OTR in XMPP protects against, and what it fails to protect against, and how one implements it. Currently it's one of those things that "everybody knows", and I'm willing to admit that I am not "everybody". Dave.
