GSoC Finis: GSoC
Summer of Code is over. It’s been a great experience, and beats the pants off of most jobs I can imagine. I’ve met lots of interesting people and learned far more about crypto and XMPP than I would have in my spare time.
(Update: I’ve published a more technical overview.)
My Encrypted Sessions implementation is now part of Gajim’s svn trunk. What I’ve completed to date is still just a proof-of-concept. There are three areas in which my implementation is not production-ready:
- Pseudo-random number generation. I’m using Python’s
os.urandom; the documentation says it “should be unpredictable enough for cryptographic applications”, but I’m not 100% certain about that. - Identity verification interface. The dialog I’m using right now assumes that the user has done the verification, and does not prompt again during future negotiations. If you’re using public keys, they’re not verified at all.
- Shared secret storage. Retained secrets are not encrypted. This requires asking the user for a password before they can negotiate an encrypted session.
I left these things to last because they require time-consuming research. In particular, I still haven’t dealt with Gajim’s GUI much. I intend to finish this work and stick around the XMPP community—there are all kinds of interesting things left to be done with this protocol.
I did not complete everything I set out in my application. In particular, “test all MUST and SHOULD level requirements” was unrealistic (to say the least). This is the first programming project I’ve been on with a real deadline, so I was unaccustomed to making these kind of long-term estimates. I erred on the side of making my application look impressive, which was a mistake—I don’t want to be the kind of person who makes claims he can’t back up.
That said, I think the test suite is very useful in its current state, and hope that it will help pave the way for further implementations of Encrypted Sessions. I’ll publish more details about it (and technical details about implementing XEP-0116 and friends) once I’ve finished moving.
On a tangential note, blogging on a regular basis is much harder than it looks. Still, SoC has given this blog a nice PageRank boost, and it actually has some subscribers now.