[Adium-devl] Java-based libraries... a ponder, a thought, an apology
timber at lava.net
Fri Dec 8 05:24:58 UTC 2006
On Dec 7, 2006, at 11:51 PM, Augie Fackler wrote:
> On Dec 7, 2006, at 9:31 PM, Evan Schoenberg wrote:
>>>> 4) Trillan SecureIM compatibility
>>> Can't answer to this one. I only partially looked at it. Since
>>> Fire had GPG, and then later OTR, I just didn't see the point. In
>>> terms of implementation, I remember thinking it should be a
>>> plugin, like OTR, but have extra "meta-data" support by the
>>> library to work with it. I would have to look at how secureIM is
>>> implemented again in order to expound on this idea.
>> Indeed -- I don't expect that there's any real reason to implement
>> SecureIM. Multiple encryption methods seems to add a lot of
>> complexity which most users simply don't need.
>>> Wasn't there something about supporting AIM's encryption for IMs
>>> in there as well?
>> I'm not sure... there may well have been.
> Trillian SecureIM is not all that useful - I'm actually actively
> *opposed* to including support for it in Adium, because it's bad. I
> can't find the site for reference - but the long and short of it is
> that SecureIM has no way of verifying the authenticity of who you're
> talking to...which OTR provides. Honestly, I'd be inclined to say we
> should start broadcasting a capability block for OTR, and encourage
> everyone else to start doing the same - and try and get some real
> clients supporting OTR.
I definitely agree here. OTR is a great encryption protocol designed
for realtime communications, and it's open (and the developers seem to
take security very seriously and are quick to respond to exploits—
remember that design flaw a while back that caused them to bump the
major version #?). The more people we can get using OTR, the better.
We should definitely be evangelizing it in our documentation and what
press we do write. People request GPG and PGP support a lot and the
only reason it would be useful would be a large number of keys and
such built up over time. But that wouldn't be that hard to replicate
with OTR, anyway. Just send a signed GPG message with your OTR finger
print, and bam.
> AIM does have their own encryption protocol, using SSL certs for
Not as good as OTR—deniability ftw.
More information about the Adium-devl