Modern XMPP project discussion - 2025-01-29

https://www.kaidan.im/2022/08/31/e2ee-trust-management/

But that is a bit controversial and personally I am not a big fan of this idea.

1

？

2

> I, for example, use Conversations and Dino. Conversations wants to have a QR code scannned to verify a key, Dino does not provide that. I can only accept the key in Conversations, it seems. Dino does, in fact, have a scannable OMEMO QR code. Assuming you're using the latest build, go to Preferences, click Encryption, and click the icon immediatley to the left of your key. ↺

Excuse me, I meant the icon immediatly to the *right* of the key.



for me, that's in accounts, not preferences

Yeah, I think that was a recent commit (definitely within the last year).

> Dino does, in fact, have a scannable OMEMO QR code. Assuming you're using the latest build, go to Preferences, click Encryption, and click the icon immediatley to the left of your key. Only for the current device. Meaning everytime I log in on a new device, I have to open DIno on all four devices to scan the QR code, which is painful. ↺

well that's kind of intentional as you are trusting the device not the account

but see the link I shared above for a possible alternative that is already implemented in some clients

> but see the link I shared above for a possible alternative that is already implemented in some clients I wonder whether Dino and Conversations will adopt that. It's extremelt helpful to me. ↺

Maybe, but I think the Conversation dev said its too comicated or so.

But you realize that there is no real need to verify devices, right?

Unless you want to be extra sure about a specific device you can just use the default trust on first use and e2ee will work fine.

There is a real need, I know my own threat model, thanks.

If you outsource trust to the other person like the above method does, you might as well not verify devices as all imho.

My threat model obviously does not fit your idea.

I am not sure you thought your trust model through though 🤷‍♂️

But anyways, you do you

An XMPP server getting hacked, the protection being E2EE? I'm pretty sure I know what I want to prptect myself agsinst.

E2ee is not effected by what I said.

E2EE only really helps in that scenario if you know who you are encrypting for.

Trust on first use does that as well

Anyway, will talk to the Dino folks to get their view on this.

No, it does not.

About as well as letting the other side add arbitrary devices to your trusted devices list without you knowing.

Thanks, next please tell me what the internet is as I obviously have no idea about it all...

🙄

I actually do understand what cross signing of keys does and how it *helps* me with my use-case.

looks like a case of Dunning-Kruger effect 🫠️

The effect which has recently been debunked? I doubt any such case would indeed exist.

https://www.sciencedirect.com/science/article/abs/pii/S0160289620300271

👍️

Oh wow, how quickly the years do pass...

> For instance if you were to order a bottle of whisky online, you could use a did to verify you are over 18 but not what age you are or where you were born The German ID card does something line that. I always wondered what kind of obscure magic would be at work there. ↺

*like that

GNU Taler is working on something like that: https://docs.taler.net/design-documents/024-age-restriction.html

>> For instance if you were to order a bottle of whisky online, you could use a did to verify you are over 18 but not what age you are or where you were born > The German ID card does something line that. I always wondered what kind of obscure magic would be at work there. Its not going to be the same, unless it's doing cryptographic magic on an open client how can third parties do this, and who accepts it ↺