[OTR-dev] Flaw in OTR Protocol (with workaround!)
Ian Goldberg
ian at cypherpunks.ca
Thu Aug 4 08:25:06 EDT 2005
On Thu, Aug 04, 2005 at 08:07:10AM -0400, Greg Troxel wrote:
> OTR session with Alice
>
> I exit my client
>
> Alice says something
>
> Alice exits her client
>
> I reappear on the net
>
> I get an encrypted message I can't read.
>
> What I'd like is for my client to send a "destroy SA" message, that
> changes Alice's client from "Private" to "Private/Broken" where her
> client will still refuse to send cleartext, but will know that the key
> is invalid, and try to do an OTR setup exchange before sending a
> message. This should be the same behavior as if OTR is required for
> this user.
If you were to select "End private conversation" from the OTR menu
before quitting your client, wouldn't something just like this happen?
> You of course *can* sign OTR public keys in openpgp format:
>
> I know I can do that. I'd like to have automatic key management so
> that I don't have to do manual comparisons, just like how the PGP WoT
> works. I see the simplicity argument, but it's too bad that OTR
> public keys aren't in openpgp format.
I don't think the *format* is the issue: if you're proposing to use your
*actual gpg key* as the signing key, then you're opening lots of cans of
worms. How do you import the signatures into OTR? How does someone
who's never heard of gpg verify them? Even if they have heard of gpg,
where is their public key ring? Where's your secret key ring? Is it
even on this particular computer? Are we assuming you're using any one
particular implementation of the openpgp format? Since when does the
PGP WoT not require manual comparisons, anyway?
Could you be more explicit about a user scenario?
- Ian
More information about the OTR-dev
mailing list