Ola Bini wrote: > The information in the TLV would simply be two values. The first one > is a boolean that says whether my OTR instance has authenticated the > other persons fingerprint or concluded an SMP successfully. The second > value is a value that can range from 0 to 100 and is something I call > a "security rating". Basically, this rating is an opaque judgment of > how secure the connection is from my perspective. It can take into > account whether I'm using TLS to talk to the XMPP server, whether Tor > is used, whether logs are turned off, etc. The idea is that my client > can give the other client a rough indication of how secure we think > the situation is. This second value is vaguely specified on purpose, > since it will be always be subjective to the local peers situation.
Heuristics shouldn't be a part of security protocols, IMO. In practice, they are almost invariably not implemented by clients and generally don't actually prevent attacks. I haven't had time to carefully read the rest of this yet, but that part stood out to me. _______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
