Please fix your mail client to send proper References: headers; it is destroying the continuity of emails in this thread.
On 07/11/13 14:53, cypherpunks.b...@xoxy.net wrote: > >>> cypherpunks.boxy at xoxy.net wrote: >>> Any thoughts on allowing OTR to grab a key from an OpenPGP cert? > >> Ximin Luo <infinity0 at gmx.com> wrote: >> See this discussion[1] and subsequent messages. > > Thanks, very interesting... > >> TL;DR version is yes you can do it, and some of us want to do it. The >> least problematic workflow that is most compatible with existing >> workflows is: > >> - have a tool, e.g. some extension to monkeysphere, that creates an >> Authentication-use subkey with the critical notation that says >> something like "for OTR use only" > > Why would it have to be only for OTR use? In Pidgin, there is also a > GPG plugin. Why couldn't we use the same key for that, in case we're > comfortable with receiving an asynchronous communication? > Security concerns mean that it's wise not to use different keys for different protocols. I don't know what that GPG plugin does, but I am guessing it's not OTR - so unless you can prove it's safe, it is best to assume it's not safe. Just because you can, doesn't mean you should; semantically it would be similar to using the same key to lock your front door, as well as a random safety deposit box at your bank, plus as a stamp for a wax seal you put on your letters. Relevant: http://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig >> [...] > >> - have yet another tool that scans your otr application for collected >> public keys, and tries to verify their validity against your PGP trust >> database, optionally downloading missing keys from keyservers. > > I wonder if this way, things might get a bit too fragmented? Perhaps a > key management interface to the chat client, which any encryption plugin > might use? (See my other post in this thread: > http://lists.cypherpunks.ca/pipermail/otr-dev/2013-November/001990.html.) > They can all be integrated into the same UI for sure. What I meant by "separate tools" is that architecturally they are separate concerns and the processes have different lifetimes. The generation/conversion tool would be run once per account (or group of linked accounts), and the auto-sync-verify would be run periodically. Seriously, have a look at monkeysphere, it is pretty much directly analogous to what it does for SSH. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
