Old discussions will be put here.

Encryption

<bartman> What kind of encryption is suited best? OTR seems to be a good choice because it provides great security combined with other nice aspects as deniability and the session validation keys. An implementation of OTR in ActionScript would take up quite some time.. but it's possible!

Is it necessary to encode the connection with SSL/TLS if we already encrypt all private messages?

<lynX> Do you? You always need the other side to decrypt the OTR.. if they don't, then you're back at plain text... but maybe the route to your own server is not your biggest enemy then. You decide.

<bartman> Of course, but being egoistic I could just give all people who I want to talk to csYc and then we're private. Others.. switch or implement it. I think I don't want the server to be able to read my messages.. I just need to solve the offline messages over OTR problem then ;) But if I recall correctly somewhere in this wiki there was a proposal for offline-Diffie Hellman negotiation, that should be possible to be done with OTR.

fippo what about the jabberistic encrypted sessions?

<bartman> thanks fippo, that was what i was thinking of. based on otr even :)

Current State

encrypted sessions are the basic for the encryption. However I encountered one big problem while implementing them: Generating the Diffie-Hellman public key (especially the modpow) takes ~8-12 seconds to deviate a 128bit key from it. For 256bit it takes even longer. This generation is necessary for every chat-session start. Is this acceptable? Can it be masqueraded as a feature? -> 'Securing your connection.... please wait.'

The only way around this would be a freaking fast ActionScript implementation, I'm not sure if you can make it that much faster however. Otherwise the cryptography stuff could be exported to a small application running on the users computer and computing all the stuff we need. This would make the installation more complicated and we'd need builds for all plattforms AIR supports. Bad.

Even another crazier solution would be to drop AIR and use Qt or something.. but.. well. Starting over again sucks.

Participate!

Give me your suggestions, what would you like to have in this client? Open questions? Design proposals?

• <lynX> a simple implementation of group communication? ;)
  • <bartman> planned, but not part of the 24 hours challenge

• <eMBee> the as3 code is available on request, simply because we have not gotten around to setting up anonymous access on our svn server yet. i can provide you with a url to a checkout or pack up a tarball. (i just don't want to publish it here)

in general our code builds on monkeys work, although, a lot has changed. monkey essentially only implemented MMP and Psyc parsing and mainly _request_input and _request_execute commands. we dropped those in favour of using the appropriate _request_do_... commands.

the code is not really object oriented and could use a good cleanup, or even a (partial) rewrite/restructuring.

we don't have the resources for that though. however i am willing to participate in testing and adapting our client to anything new you come up with. (just need to figure out how to run flex on linux. does anyone have experience with that?)

• • <bartman> Flex on linux is pretty straight forward. Get the Flex 2 SDK here and untar it - thats it. You've got the mxmlc in the bin/ dir, thats all you need :)

It would be great if you could provide me your lib to take a look at it and see if its suited. I'm even willing to do some cleanups and rewrites as far as I need them for a stable csYc codebase :) I'll meet you at psyced.org to file my request ;)