Iroh is definitely lighter-weight and developer-first, but it is not always “two binaries and nothing else” either (at least from what I have read). Once you need arbitrary peers across NATs/firewalls, you may need relays, address lookup, relay URLs/tickets, and for production likely dedicated/authenticated relays.
So to me the distinction is not “embedded vs not embedded”; both can be embedded. It is “P2P connectivity substrate” vs “governed zero-trust service overlay.” Iroh optimises for low-friction key-based peer connectivity. OpenZiti optimises for centrally governed, least-privilege service reachability, including identity lifecycle, revocation and policy control at fleet scale.
Note, I also work for NetFoundry, which develops and maintains OpenZiti.
Indeed, for hole-punching you need something external, I don't think anyone found an mechanism to do it without some "signaling" server or similar, if it's even possible at all.
> OpenZiti SDKs are app-embedded
I think this is a good clarification, the SDKs that communicate with OpenZiti are app-embedded, while the server/coordinator/whatever runs somewhere else. That's why the comparison with Iroh feels weird, as both the SDK+"server" runs embedded in the application (except if hole-punching is needed, then some external signalling server is needed, as mentioned earlier), so it is in practice, what the developer cares about, two binaries and not much else.
> So to me the distinction is not “embedded vs not embedded”; both can be embedded
This is where you lose me and others, as when they talk about Iroh being embedded, they do mean everything you need to say run a P2P chat application on two computers, there are usually no URLs/coordinators/whatnot involved there (again unless hole-punching is needed), while with OpenZiti you need that chat application + OpenZiti running. The distinction people are trying to understand is very much this, so it's confusing when you call it "embedded" while still having an external thing running alongside it.
The project has been moving to supporting directly connecting to other identities but it hasn't been a priority yet.
The connections an OpenZiti identity makes to another OpenZiti identity are direct-over-OpenZiti (not direct over IP underlay) if that makes sense. I don't know if you'll ever be able to have two process communicate without that third 'arbiter' process (I'll call it). It might happen, but right now it seems less likely than the direct connect approach.
hope that helps. But you can definitely have an SDK app client connect to an SDK app "server" and be fully zero trust, fully app embedded, fully end to end encrypted, peer-to-peer (over the overlay) connections.
Yes, but that's the thing, when people say "Iroh lives in the app" they mean the entire thing, the relays are optional hole-punching mechanisms, otherwise it is distributed P2P embedded in the app. It's slightly confusing when you claim OpenZiti to be the same, with "fully app embedded" but in reality there is a server/overlay/controller/coordinator running somewhere that isn't actually embedded in the app.
I'm not saying the idea is bad, I think both have their use cases, OpenZiti seems like a solid project otherwise, I'm not trying to say it's a bad choice. I'm merely trying to help you, as an outsider, to maybe use/don't use certain words/definitions when you talk about it as it gets confusing then once you actually start looking at the code and things look very different from the expectations you set.
I do wish you luck with the project, all sorts of P2P projects are needed and they all have their place, I don't think it's a "one eats them all" ecosystem, and the more the merrier :)
