On 28/09/12 02:43, Ian Goldberg wrote: > On Fri, Sep 28, 2012 at 02:19:22AM +0100, Ximin Luo wrote: >> Hi, are there any plans to integrate OTR keys with PGP? (c.f. how >> monkeysphere integrates SSH keys with PGP). >> >> It's good that crypto products don't also try to provide a PKI and >> reimplement the wheel, but then they should actually *use* existing >> ones to fill this gap! > > This comes up on the list now and again. ;-) > > One big problem is that there's no way to bind the PGP key for > "[email protected]" to the AIM ID "angrybob". Many people already do sign > their OTR keys with their PGP keys, so if you (the person, not your > software) knows that [email protected] is the same person as angrybob, you > can tell your OTR client that you've verified the keys. But there's not > a good way to do this automatically. >
Can't you just add those extra IM addresses as UIDs on your key, same as multiple email addresses? I'm not aware they have to follow any specific format, e.g. you can create a key with UID "ssh://host" which is what monkeysphere does for host keys. >> Also, how does OTR prevent MITM against "Q/A" and "Shared secret" >> auth[1], as I was under the impression that only physical face-to-face >> verification of fingerprints (or a derived process, e.g. PGP's WoT) >> can prevent such attacks. > > When you use Q/A or shared secret auth, OTR relies on you picking a > (question or) secret that only your buddy knows (the answer to). That > way, the knowledge of the secret is bound by the SMP to the fingerprint > of your buddy's public key. > > Does that help? > > - Ian > _______________________________________________ > OTR-users mailing list > [email protected] > http://lists.cypherpunks.ca/mailman/listinfo/otr-users -- GPG: 4096R/5FBBDBCE https://github.com/infinity0 https://bitbucket.org/infinity0 https://launchpad.net/~infinity0
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OTR-users mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-users
