jdev - 2025-03-28

https://blog.startifact.com/posts/xee/ This is exciting to me

Rust XML? Mmmm

More specifically XSLT3 outside of the saxonverse

I think that's the most interesting bit, yeah.

What's the pro-XMPP response to this guy? https://soatok.blog/2024/08/04/against-xmppomemo/ He is criticizing XMPP clients for not upgrading to newer crypto implementations

hello!: lots of ink/bytes already spent responding to someone who already announces they're not interested in discussing xmpp

I understand the frustration, would you please be able to direct me to anyone else's blog that responds?

they are easy enough to find.

can you tell me like one author's name?

iirc daniel gultsch (conversations developer) answered many of soatok's claims directly, either via blog or in the fediverse hellscape where this non-story began, and the soatok person disingenuously sid not consider those responses.

ok

they also miss lots of _actual_ problems with omemo, which tells me much about soatok's thoroughness and goals

He says so in his own screenshot unless I'm misunderstand it? "I'm not interested in having questions answered. My entire horse in this race is for evangelists to fuck off and leave me alone. That's it. That's all I want."

yep.

but for example he doesn't discuss the problem of really-existing omemo only covering the message body and not other xml tags within the message (one of the main actual reasons/needs to press on with the newer spec versions)

and in his assessment of signal he misses out on the key verification process in signal vs xmpp, which maybe turns out to be important in recent news involving signal

I guess the low-level crypto parts are more fascinating for guys fascinated by low-level crypto talk.

yes, but he manages to be not even wrong about the low level crypto stuff (off on a weird not relevant tangent)

Yes I agree on the key verification mentioned

have the clients upgraded to the newer version spec he mentioned since then?

no

I think there are the same sets of oldmemo and twomemo clients as then

nothing he posted was impactful

so you're saying the old crypto spec is just as good, as far as quantum resistance or whatever

I'm saying a blogpost that took half an hour to write changed nobody's assessment of those topics

also what I said before, that covering the whole stanza is a more important win in incrementing the spec

this is what I mean by not even wrong--the priorities are a mess, in terms of practical safety

So you're saying that having OMEMO cover more than just the message body is the main priority. And that's a real criticism that should be advanced to improve. But instead, this guy just does a random irrelevant ramble about low level crypto, when this crypto is just as good.

against practical attacks today, yes, that's correct, he misses the forest for the single-celled algae

ok thank you so much for your time. so sorry to bother you with this

and he also makes clear at the outset that the only systems he accepts as valid are ones where e2ee cannot be disabled, regardless of whether that is e2ee to an actually trusted destination. so there was never going to be any convincing him

right yes I did see that

groups like this one where omemo is not enforced make xmpp irrelevant according to him

gotcha

I'd also question the implicit assumption that a messenger's E2EE qualities are the only relevant criterion for evaluating a messenger. I mean he doesn't go "I'm a crypto guy, I'm looking at OMEMO, and I'm telling you OMEMO is bad". He goes "I'm a crypto guy, I'm looking at OMEMO, I'm telling you it's bad AND THEREFORE XMPP IS BAD".

Okay I typed too slowly :-)

I see, so the jump from OMEMO is bad, to XMPP is bad is not clear

Yes. If low-level crypto was my only criterion, i.e. if I was happy with vendor lock-in, I could well-imagine ending up with Signal or whatever.

But the blog author is of course not alone with that assumption.

people's happiness with vendor lock-in is one of those things that

...is depressingly hard to combat

understood

"surely this time I won't be left holding the bag"

If you're looking to influence people's choices, the question you need to answer for them is "how does this affect me (impact my life) at this moment in time (not some distant future)?"

theTedd: unfortunately that is an approach that too often misses out on the logic of startup culture, where the thing isn't going away/betraying you _today_, but at some future point when the easy money runs out.

ok it might be betraying you today too, I'm giving the optimistic version

We may know that, but if it's not a current concern that impacts their life then most people won't consider it

Personally I find more happyness in _not_ arguing and instead working away on making XMPP better.

Yes

Technical people prefer technical things and details -- we'll have more on this revelation later!

All arguing can do is make us sad and hurt our reputation

My point is that unless you can answer the above question, attempts to influence/convince people to change services/apps will go nowhere.

theTedd: I think ordinary people are open to arguments from experience. most have had an app shut down or stop doing what they need it to do.

In which case, it affected them - so that's a relevant detail

unfortunately it's also a profound psychological trait to discount this happening again

humans are just bad at indefinite future risk

Debating encryption details is generally not a relevant detail

yes, agreed, hence why I wasn't