Published: 2013-04-23 12:20:52 by Daniele Ricci

Eventually, after some discussion on a few mailing lists about using a new SASL mechanism for OpenPGP authentication, I decided to go the other (probably harder) way: OpenPGP over TLS.

The only existing project implementing RFC 6091 is GnuTLS. My objective is implementing that on Python+Twisted and Android.

I recently forked the python-gnutls project because it seemed to me to be unmaintained for a while. My fork is hosted on Gitorious: pygnutls.
I'll be primarly focusing on OpenPGP bindings and porting to the latest version of GnuTLS.

A working version of server-side OpenPGP authentication is already on git, next step is Android.
Android has no built-in concept of OpenPGP; it has a stripped version of Bouncy Castle, but not enough even for doing basic encryption stuff. So I will need to add Spongy Castle (+1.2 MB on the resulting apk) and possibly making my hands dirty by hacking on Bouncy Castle because RFC 6091 is not implemented.

I think implementing RFC 6091 turned out to be the best option afterall: creating a new SASL mechanism would have required prior D-H key exchange and all the other secure stuff already defined by TLS, thus reinventing the wheel. Not even talking about writing a RFC and making it accepted.

Published: 2013-04-13 23:47:40 by Daniele Ricci

Kontalk is spreading at a nice pace, at an average rate of 0.2 new users per minute, excluding the 21st March peak. Donations keep coming in and development is going on. I've been having some healthy problems this 2 past weeks - apparently I'm overstressed or something like that - so I've slowed down a bit.

Currently I'm examining the possibilities and implications of encryption in Kontalk XMPP. Choosing GPG was actually a very hard choice: keys are big, server-side ops are a bit messy (gpgme), but it's a too widely adopted standard to be ignored. There is even a XEP for that so I'm not going to reinvent the wheel.

GPG has elliptic curve encryption already in beta, so hopefully we'll get that eventually and migration would be easy. So key size issue solved :-)

Server-side I'm using gpgme, which is a wrapper around the gpg executable (...), unfortunately there isn't much better than that. Eventually I will make my own implementation (anyone up for the task?).

XMPP server already has a working ad-hoc SASL mechanism for GPG challenge-based authentication. Keys for Kontalk usage have the Jabber ID in the e-mail field, a custom user-defined name field and some special comment field (e.g. Kontalk: resource name).