owned this note
owned this note
Published
Linked with GitHub
# Year of the OX
**XMPP-Meetup Berlin**, 10.2.2021, 18:00 CET
Online - https://meet.in-berlin.de/YearOfTheOX (Please don't post on public social media - *save us from jitsi bombing*)
## Topic: OpenPGP for XMPP (OX)
### Agenda
* 18:00 - Welcome chat
* 18:15 - Talk: OpenPGP for XMPP [[slides](https://jabber.fu-berlin.de/share/holger/KE7hVLNV1R4OR2xc/ox-intro.pdf)] (**Holger**)
* 18:30 - Panel: Introduction of panelists, comments and additions
* 18:45 - Panel: Initial questions
* 19:00 - Panel: Questions from the audience
* 19:30 - Open discussion
### Panelists
* **DebXWoody** - implementor of OX in Profanity
* **defanor** - implementor of OX in rexmpp
* **Florian** - co-author of the OX standards
* **lovetox** - implementor of OX for Gajim
* **Paul** - implementor of OX in Smack
## Questions
### Initial questions (moderator)
* Please introduce yourself and tell us about your relationship with XMPP.
* Do you have any comments or additions to Holger's talk?
* Why did you implement OX and what is your use case?
* What makes OX interesting for you compared to other encryption protocols, like [OMEMO](https://conversations.im/omemo/)?
* Do you have any security concerns related to this specification?
### Questions from the audience
* OX uses only one key pair per account not per device: Will it be easier to access old messages from archive on a new device? (debacle)
* Answer: Yes.
* In company context or similar, will a key escrow scheme is probably easier to implement than with OMEMO? (debacle)
* Answer: It is probably easy, esp. by just storing the primary key somewhere.
* Depending on implementation it might be possible to use a crypto token, such as Nitrokey or Yubikey? (debacle)
* Answer: Possible, _but_ very difficult for client design (lovetox), i.e. how should the client behave when the key is not available. Also not well usable with mobile phones (DebXWoody).
* With the evolution of computers, especially quantum computers these days, do you think OpenPGP and OX is the way to go and a solid solution for end-to-end encryption in the future? (Jeybe)
* if quantum computers become a thing, we have bigger problems -> rabbit hole
* quantum computing can solve specific currently unsolvable problems, but not all
* there is ongoing research for algorithms that are resistant to quantum computer attacks, also encryption algorithms based on quantum computing
* OpenPGP is agnostic to the algorithms it uses: new algorithms added to OpenPGP may mitigate the problem and can be added without reimplemeting everything
* both clients need to support the new algorithm
* elliptic curves are not resistant to quantum computing [wiki](https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Quantum_computing_attacks) [pdf](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf)
* potential (minimal) advantage of OX: symmetric encryption might be less affected by quantum computers; while OMEMO and asymmetric encryption is f** anyway
* What has to be done to implement group encryption? (marek)
* needs to be specified and implemented - ideally by the same person/group
* smaller group chats are easier to implement
* [MLS (message layer security) IETF standard](https://datatracker.ietf.org/wg/mls/about/) seems better for bigger group chats
* for bigger groups message encryption is most likely not as important as for smaller groups
* What is the primary goal of OX: To be an E2EE solution for those who prefer it for whatever reason (Nerds ;-)) or is the intention to actually bring OpenPGP for instant messaging to the masses? (Jeybe)
* Multiple goals: IoT as well as bridge between nerds and normal users
* Also: To be compatible to the different clients
* one fingerprint is an advantage over multiple - easier for the masses
* why divide the user base into nerds and normal users? You can use your own key if you want or a generated one if you don't care
* OX can be even easier than OMEMO for the user (in theory)
* OpenPGP/OX may be used in conjunction with OMEMO to enable easier fingerprint verification on the latter? -> See [Keyoxide](https://keyoxide.org/9f0048ac0b23301e1f77e994909f6bd6f80f485d), with which you can sign your JID and the corresponding OMEMO fingerprints (paul)
* Maybe OX can be used to sign public messages or posts in Movim or Libervia or other XMPP based social networks? (debacle)
* https://keyoxide.org/guides/xmpp
* Might be tricky (Flow), because of XML normalization or lack thereof. But there is a middle ground: if the use case is known, specify how the to-be-signed bytes are calculated
* If you know the structure of the data, you can know what parts to sign
* Many social networks are web-based so you basically have to trust the application server, too; so another option would be to leave the verfication up to the provider
* Anyone knows any good GPG Python libraries? (lovetox)
* https://sequoia-pgp.org/projects/
* GPGME has a Python binding
* Daniel, are you (already) considering to add OX to Conversations? (felix)
* Yes, but no high priority at the moment
* Autocrypt for lttrs is similar to OX - maybe it is going to be implemented as a library reusable for Conversations
* OX is not considered as a replacement for OMEMO but for [XEP-0027](https://xmpp.org/extensions/xep-0027.html)
* There is usage/need for forward secrecy
* OpenKeychain as a manager for keys might not be needed once Autocrypt is implemented (Daniel)
* centralized manager might be handy though
* PEP is like a Web Key Directory for uploading the keys (DebXwoody)
* If I understand OMEMO correctly, then the keys are changed whereas OpenPGP keys are static. So, it would be possible to keep OpenPGP keys in a TPM, but it is not possible to store OMEMO keys there. Is that correct? That seems like a significant security advantage (neal)
* OMEMO messages are en- and decrypted using the ratchet, which always changes. Identity key is not needed for every rachet move and *might* be placed in TPM, but not sure what that brings to the table - so OX is more suitable for TPM
* How can a normal user transfer a private (generated) key from one device (device lost or broken) to another device? (Holger)
* if PEP is used - key should not be stored there for a long time (DebXwoody)
* Either you trust or don't trust the backup password (Paul)
* Maybe ask the Delta Chat developers [how they do it](https://delta.chat/en/help#can-i-reuse-my-existing-private-key)
## Minutes
* 30 people (this is crazy!) :-)
* end-to-end-encryption (E2EE) is not a feature of "core" XMPP
* there were multiple attempts to add it as an extension (XMPP is all about extensions)
* modern: OMEMO, OX (our topic today)
* PGP is from the 90s
* used to be used extensively in e-mail communication
* sign and encrypt
* OMEMO is more modern, includes forward secrecy
* trade-off: usability vs secrecy
* legacy PGP doesn't do everything ~~you~~ Holger wants
* OX solves (many or all of) these problems
* key exchange via PEP (publish and subscribe technology in XMPP)
* encryption + signing
* operates on all kinds of XML elements
* mitigates replay attacks by using address/timestamp
* ...
* https://wiki.xmpp.org/web/XMPP_E2E_Security
* https://conversations.im/omemo
* DebXWoody: PGP has advantages over OMEMO; you don't have tons of keys all over the place; using a device like a Nitrokey, you can quickly and effortlessly encrypt everywhere in a secure manner
* defanor: (sorry, I had bad audio, add a sentence here...)
* Flow: there was a gap between E2E encryption with forward secrecy and "no encryption at all"
* old XEP horrible ;-)
* we need to raise the floor for end-to-end encryption
* (some) encryption is better than *no* encryption
* Paul: works on [Smack](https://github.com/igniterealtime/Smack)
* Google summer of code OMEMO + OX
* OX is like "the older brother" of OMEMO
* OMEMO vs OX
* Message history: with OMEMO it needs to be decrypted on the device, with PGP you can choose to have it either way
* OX allows for revocation
* OX allows for multiple algorithms
* the identity a key is assigned to can be within the key with OX
* lovetox: current maintainer of Gajim
* OX has full stanza encryption (we need that)
* full archive on the server is possible
* OX is more complex
* people bring their existing PGP keys, you need to "pick them up" somehow
* application (?!)...
* OX specification was build to serve many use cases
* not every possibility needs to be exposed to the user/application
* it is probably a good idea to make things (as) simple (as you can) for the user
* possible solution for applications (like Gajim): let the "pros" upload/insert their key into the application, otherwise just generate a key out of thin air
* keys can also be unencrypted PGP subkeys
* on a compromised machine the unencrypted PGP key is easy to be stolen - nothing new
* OpenPGP key ID cannot be extracted from an encrypted key
* [XEP 0373](https://xmpp.org/extensions/xep-0373.html#backup-encryption)
* if you use more than one key, you cannot distinguish them
* Why is the Symmetric Key Encrypted Session Key Packet to backup the secret key chosen over the OpenPGP packet specified for this purpose?
* More information about OX and further discussion in the XMPP wiki [tech page](https://wiki.xmpp.org/web/Tech_pages/OX)
* There's also a [XEP remarks page](https://wiki.xmpp.org/web/XEP-Remarks/XEP-0373:_OpenPGP_for_XMPP)
* Flow: Experiences from implementation should flow back into the specifications. This is currently a problem with the XMPP community
In other news
* cognitive project about communication with services to get answers to a search term. Answers might take a long time. (eevvoor)
