Modern XMPP project discussion - 2020-07-05

  1. Alyssa

    Does anybody know if OMEMO can be used to authenticate Jingle (DTLS-SRTP)?

  2. Alyssa

    If I understand the Jingle XEPs correctly, Jingle alone might still be vulnerable to a man-in-the-middle from an untrustworthy XMPP server (swapping out fingerprints and IP addresses and such)

  3. Alyssa

    But if the clients have already established trust via verification of OMEMO fingerprints, the chain-of-trust should be able to piggyback from there. (It's my understanding this is how essentially Signal authenticates calls.)

  4. Alyssa

    (Of course, if you blindly trust omemo fingerprints it doesn't matter :P)

  5. Alyssa

    I guess XEP-0420 would solve that if you encrypt the whole Jingle exchange

  6. pep.

    I don't think OMEMO is used for DTLS-SRTP yet

  7. pep.

    You may also want to look into https://xmpp.org/extensions/xep-0396.html JET-OMEMO

  8. pep.

    Depending on what you're looking for

  9. Alyssa

    pep., it's my understand that would have performance issues..?

  10. Alyssa

    AFAIU it's -just- the fingerprint that you need sent over OMEMO

  11. pep.

    hmm, looks like you'd only need to do that indeed. I delegate to somebody more knowledgeable though