[guardian-dev] serverless XMPP as

Hans-Christoph Steiner hans at guardianproject.info
Wed Apr 18 22:30:52 EDT 2012


Yeah, it definitely shouldn't be always on, but something that the user enables.  A regular session would go like this:

- in Gibberbot, user clicks "Start Sync"
- Gibberbot activates serverless XMPP account dedicated to sync
- Gibberbot broadcasts mDNS service announcement
- OTRConverter picks up the broadcast and adds Gibberbot as a sync option
- OTRConverter sends AUTH to Gibberbot sync account
- OTRConverter sends GET to Gibberbot sync account
- Gibberbot sends otr_keystore to OTRConvertor
- OTRConverter syncs it with local Pidgin/Adium/etc. keystores
- OTRConverter sends Gibberbot a PUT with the new synced otr_keystore
- Gibberbot replaces its otr_keystore with the new one
- Gibberbot turns off sync account

In order to setup the sync, the user would have to do this on the first syncattempt:
- in Gibberbot, user clicks "Start Sync"
- Gibberbot activates serverless XMPP account dedicated to sync
- Gibberbot broadcasts mDNS service announcement
- Gibberbot shows a screen with OTR fingerprints
- OTRConverter picks up the broadcast
- OTRConvertor shows its screen with OTR fingerprints
- user verifies and clicks "NEXT"
- Gibberbot shows a screen with a passphrase + QR Code version of it
- user enters passphrase into OTRConverter prompt screen (or via QR scan)
- OTRConverter sends AUTH to Gibberbot sync account
- OTRConverter sends GET to Gibberbot sync account
- Gibberbot sends otr_keystore to OTRConvertor
- OTRConverter syncs it with local Pidgin/Adium/etc. keystores
- OTRConverter sends Gibberbot a PUT with the new synced otr_keystore
- Gibberbot replaces its otr_keystore with the new one
- Gibberbot turns off sync account

.hc



On Apr 18, 2012, at 7:59 PM, Miron wrote:

> It's an interesting idea.  I think it's important that the user be aware
> of the account, but yes, we could have multiple such accounts.  In fact,
> that might already work.
> 
> We should also think about security and privacy implications, as well as
> technical considerations.  For example, the serverless account does a
> multicast.  That has an impact on privacy if always on.  Also, should
> the connection be used as a sequence of packets or a stream?
> 
> It would be interesting to figure out how to use automated OTR
> communication in other contexts.
> 
> On 18/04/12 16:08, Hans-Christoph Steiner wrote:
>> Hey Miron,
>> 
>> In case you missed this in #guardianproject today:
>> 
>> n8fr8 and I were just discussing the possibility of using serverless XMPP as a protocol for syncing the OTR key info with the desktop. I'm writing a desktop client, then we'd make Gibberbot have a protocol to get and put the keys.  It could be via HTTPS or just some TLS socket, but it seems cooler to do it with serverless XMPP. I guess there would have to be an invisible serverless account in Gibberbot to be the sync agent.  Could there be multiple serverless accounts?
>> 
>> .hc
>> _______________________________________________
>> Guardian-dev mailing list
>> 
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> 
>> To Unsubscribe
>>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>> 
>> You are subscribed as: c1.android at niftybox.net
> 
> 
> -- 
> --
> Miron
> http://hyper.to/blog/
> 



More information about the Guardian-dev mailing list