[OTR-dev] OTR version 4 Draft #2

Carsten Mattner carstenmattner at gmail.com
Fri May 11 14:11:02 EDT 2018


On 5/11/18, Ola Bini <ola at olabini.se> wrote:

> Yeah, I agree about all these points - we have internally discussed
> both video and audio, and the many shortcomings with current
> solutions. OTRv4 could be used for those kinds of solutions, just as
> OTRv3 could (using the symmetric key, for example). But full solutions
> would require a very different concept and project. Personally, the
> authentication mechanisms used in ZRTP and SRTP are starting to feel
> very scary, in the modern age of good enough voice faking etc.

Therefore I will use voice chat only when people insist on it
and try to avoid discussing sensitive topics. Man this sucks.

> I strongly disagree. No matter how skilled a developer is, a larger
> library means more internal complexity, something that has been shown
> increases the likelihood of bugs. I don't trust any developer, no
> matter how skilled, to not make mistakes. =)

It doesn't necessarily increase complexity as more often than not
it's just a well-curated collection of primitives with a
common abstraction on top. I still understand what you're
saying and don't really disagree, but I don't consider
trusting 5 independent projects an improvement over
trusting just gcrypt, sodium and one of the OpenSSL
branches.

Either way this is a philosophical and highly speculative topic,
no need in going on. I believe we've had different priorities
and possibly different experiences with software quality and
have therefore formed different preferences. Nothing unusual
or surprising there.


More information about the OTR-dev mailing list