jdev - 2020-11-16

  1. defanor

    https://xmpp.org/extensions/xep-0374.html#choose-pubkey says that all announced keys must be used for encryption, and I assume all the used keys must be trusted. If we already know some trusted keys and new keys are added (which aren't signed by old ones), seems sensible to use the old ones to verify the new ones (even if simply by asking over a channel secured with those), yet sounds like this requirement (using all the keys) would

  2. defanor

    deny using those previously trusted keys to verify a new one. I've also checked Gajim sources now, apparently it only uses trusted ones (though it doesn't claim to support XEP-0374, just 0373). Is it an oversight in XEP-0374, or is there some rationale for that requirement?

  3. flow

    defanor, I think the second MUST in xep374 § 2.3.1 should be downgraded to a MAY. It is outside the scope if xep374 how to determine if a key is trusted and hence should be used for encryption

  4. defanor nods.

  5. flow

    defanor, I think the second MUST in xep374 § 2.3.1 should be downgraded to a MAY. It is outside the scope if xep374 how to determine if a key is trusted and hence if the key should be used for encryption

  6. defanor

    I have one more question regarding that XEP (although perhaps it's more generic), the "Encrypted but unsigned messages (<crypt/>) do not provide an advantage over unencrypted ones since the sender can not be verified." part: I think I've heard that argument before, and possibly even found it convincing, but failing to make sense of it now. There is an advantage for secrecy over unencrypted messages, isn't there? Just not for

  7. defanor

    authentication.

  8. flow

    defanor, that's debateable if there is an advantage.

  9. flow

    the xep mostly mimics the modes that OpenPGP provides and leaves it up to consumers to decide if they want to use it

  10. edhelas

    is there some Monal developers around here ?

  11. Holger

    There's xmpp:monal@chat.yax.im?join FWIW.