From snaggen at acc.umu.se Thu Jan 12 10:00:39 2006 From: snaggen at acc.umu.se (Mattias Eriksson) Date: Thu, 12 Jan 2006 16:00:39 +0100 Subject: [OTR-dev] Key question Message-ID: <1137078039.9318.12.camel@localhost.localdomain> I looked at the gaim-otr plugin, and this is a very nice thing. But why doesn't you use existing pgp-keys/trustdatabase? This way an organization needs to do the keysigning procedure all over... or most probably asume that the key is the right one (like everybody currently are doing with unknown ssh hosts). Are there any plans of adding the possibility to use existing pgpkeys? //Snaggen From ian at cypherpunks.ca Thu Jan 12 12:00:00 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 12 Jan 2006 12:00:00 -0500 Subject: [OTR-dev] Key question In-Reply-To: <1137078039.9318.12.camel@localhost.localdomain> References: <1137078039.9318.12.camel@localhost.localdomain> Message-ID: <20060112170000.GS4463@smtp.paip.net> On Thu, Jan 12, 2006 at 04:00:39PM +0100, Mattias Eriksson wrote: > I looked at the gaim-otr plugin, and this is a very nice thing. But why > doesn't you use existing pgp-keys/trustdatabase? This way an > organization needs to do the keysigning procedure all over... or most > probably asume that the key is the right one (like everybody currently > are doing with unknown ssh hosts). > > Are there any plans of adding the possibility to use existing pgpkeys? You can do this today. For example, http://www.r6.ca/russellotr.asc As always, you can leverage an existing trust mechanism to build another. Just sign your OTR keys with your PGP key, and put it online somewhere. Then anyone that trusts your PGP key can learn your OTR key in a verifiable way. Sometimes people ask if this can be done *automatically*, and the answer is "not usually", since most people don't have their IM account names listed on their PGP keys. How is software to know that the PGP key for "ian at cypherpunks.ca" is the one that should be used to check the signature on the OTR key for "otr4ian on AIM"? - Ian From md401 at cam.ac.uk Thu Jan 12 17:39:33 2006 From: md401 at cam.ac.uk (Michael Donaghy) Date: Thu, 12 Jan 2006 22:39:33 +0000 Subject: [OTR-dev] Key question In-Reply-To: <20060112170000.GS4463@smtp.paip.net> References: <1137078039.9318.12.camel@localhost.localdomain> <20060112170000.GS4463@smtp.paip.net> Message-ID: <200601122239.40695.md401@cam.ac.uk> > Sometimes people ask if this can be done *automatically*, and the answer > is "not usually", since most people don't have their IM account names > listed on their PGP keys. How is software to know that the PGP key for > "ian at cypherpunks.ca" is the one that should be used to check the > signature on the OTR key for "otr4ian on AIM"? > The same way PGP knows the keys for "martin orr" and "lucinda lynx" are the ones to use for checking the signatures on my key. A pgp signature contains the ID of the signing key, so you can easily use the right key to check it, even downloading it off a keyserver if necessary. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From ian at cypherpunks.ca Thu Jan 12 20:21:32 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 12 Jan 2006 20:21:32 -0500 Subject: [OTR-dev] Key question In-Reply-To: <200601122239.40695.md401@cam.ac.uk> References: <1137078039.9318.12.camel@localhost.localdomain> <20060112170000.GS4463@smtp.paip.net> <200601122239.40695.md401@cam.ac.uk> Message-ID: <20060113012132.GC4463@smtp.paip.net> On Thu, Jan 12, 2006 at 10:39:33PM +0000, Michael Donaghy wrote: > > Sometimes people ask if this can be done *automatically*, and the answer > > is "not usually", since most people don't have their IM account names > > listed on their PGP keys. How is software to know that the PGP key for > > "ian at cypherpunks.ca" is the one that should be used to check the > > signature on the OTR key for "otr4ian on AIM"? > > > The same way PGP knows the keys for "martin orr" and "lucinda lynx" are the > ones to use for checking the signatures on my key. A pgp signature contains > the ID of the signing key, so you can easily use the right key to check it, > even downloading it off a keyserver if necessary. No, no. Perhaps I wasn't clear. The problem isn't in figuring out which PGP key to use to *validate* the signature; as you point out, that information is carried with the signature. The problem is in figuring out which PGP key should be used to *trust* the signature. For example, I present two PGP-signed OTR keys, both claiming to be a signature for "roconnor at jabber.org": -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jabber account: roconnor at jabber.org Fingerprint: E80BB592 1E3B491E FB5E5559 028D6F7C 9128F1A9 AIM account: (Jabber is prefered) Fingerprint: 3D1F0B07 5A17682B CDB4DB6E 03DB7D45 39B09E9C MSN account: (Jabber is prefered) Fingerprint: 00D7B679 5C1BD5E0 3D9DD068 ADDBEA35 E75F9223 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB/MtxLRF4Sn+WLTcRAuQtAJ9RMPwuWAnCdw7DDgD4vdNrFxlb5ACeMkhQ G1zka43rlhv5w2cs0BIh+JU= =NVhC -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Jabber account: roconnor at jabber.org Fingerprint: A9D70580 72FC7401 25899589 4CD3CD12 E792C538 AIM account: (Jabber is prefered) Fingerprint: C5D70FB3 135CB595 F2F31E01 88884CEF BDD73BD9 MSN account: (Jabber is prefered) Fingerprint: EE2AE8B1 AC6F3210 6F85C697 FE83F039 8D0A390D -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQ8b+OkZRiTErSPb1AQG46wP/T8bs0hPgR/NV0NuKUcIcubd0DJvpLZMW h7U34ABmtQN6TAMDlgdqxW3e/OPjG6QRnoKEPnrR9RYW+aXil2uLg8U7BRnGecLj rRljF+VdRQR6jod2MRZFqpl+nULsEqL3iSkxkFM5j90rzT+/uJFsbQS7WRrr1TO4 nusfeIZCZvE= =B/kX -----END PGP SIGNATURE----- It's easy, as you say, to figure out which PGP keys to use to verify the sigs (and, in fact, both sigs check out). But what is roconnor at jabber.org's real OTR fingerprint? How do you know? - Ian From otr at sdonag.plus.com Fri Jan 13 05:41:45 2006 From: otr at sdonag.plus.com (Michael Donaghy) Date: Fri, 13 Jan 2006 10:41:45 +0000 Subject: [OTR-dev] Key question In-Reply-To: <20060113012132.GC4463@smtp.paip.net> References: <1137078039.9318.12.camel@localhost.localdomain> <200601122239.40695.md401@cam.ac.uk> <20060113012132.GC4463@smtp.paip.net> Message-ID: <200601131041.54235.otr@sdonag.plus.com> On Friday 13 Jan 2006 01:21, Ian Goldberg wrote: > On Thu, Jan 12, 2006 at 10:39:33PM +0000, Michael Donaghy wrote: > > > Sometimes people ask if this can be done *automatically*, and the > > > answer is "not usually", since most people don't have their IM account > > > names listed on their PGP keys. How is software to know that the PGP > > > key for "ian at cypherpunks.ca" is the one that should be used to check > > > the signature on the OTR key for "otr4ian on AIM"? > > > > The same way PGP knows the keys for "martin orr" and "lucinda lynx" are > > the ones to use for checking the signatures on my key. A pgp signature > > contains the ID of the signing key, so you can easily use the right key > > to check it, even downloading it off a keyserver if necessary. > > No, no. Perhaps I wasn't clear. The problem isn't in figuring out > which PGP key to use to *validate* the signature; as you point out, that > information is carried with the signature. The problem is in figuring > out which PGP key should be used to *trust* the signature. > > For example, I present two PGP-signed OTR keys, both claiming to be a > signature for "roconnor at jabber.org": > > > It's easy, as you say, to figure out which PGP keys to use to > verify the sigs (and, in fact, both sigs check out). But what is > roconnor at jabber.org's real OTR fingerprint? How do you know? > I verify that I'm using the right key the same way I verify that the key I have for either of you is correct (Anyone can make a key with your email address on it) - by using the web of trust. If I knew either of you we would probably have already met and signed each other's keys, if not there would hopefully be some mutual friend who had exchanged key fingerprints with both of us, and so on. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From rabbi at abditum.com Fri Jan 13 06:02:15 2006 From: rabbi at abditum.com (Len Sassaman) Date: Fri, 13 Jan 2006 03:02:15 -0800 (PST) Subject: [OTR-dev] Key question In-Reply-To: <200601131041.54235.otr@sdonag.plus.com> References: <1137078039.9318.12.camel@localhost.localdomain> <200601122239.40695.md401@cam.ac.uk> <20060113012132.GC4463@smtp.paip.net> <200601131041.54235.otr@sdonag.plus.com> Message-ID: On Fri, 13 Jan 2006, Michael Donaghy wrote: > I verify that I'm using the right key the same way I verify that the key I > have for either of you is correct (Anyone can make a key with your email > address on it) - by using the web of trust. If I knew either of you we would > probably have already met and signed each other's keys, if not there would > hopefully be some mutual friend who had exchanged key fingerprints with both > of us, and so on. That presumes that trust is transitive. (Yes, I am asserting that the web of trust is insecure. I am pleased that the OTR developers have not carried its weaknesses over to OTR.)) From ian at cypherpunks.ca Fri Jan 13 09:34:35 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 13 Jan 2006 09:34:35 -0500 Subject: [OTR-dev] Key question In-Reply-To: <200601131041.54235.otr@sdonag.plus.com> References: <1137078039.9318.12.camel@localhost.localdomain> <200601122239.40695.md401@cam.ac.uk> <20060113012132.GC4463@smtp.paip.net> <200601131041.54235.otr@sdonag.plus.com> Message-ID: <20060113143435.GD4463@smtp.paip.net> On Fri, Jan 13, 2006 at 10:41:45AM +0000, Michael Donaghy wrote: > I verify that I'm using the right key the same way I verify that the key I > have for either of you is correct (Anyone can make a key with your email > address on it) - by using the web of trust. If I knew either of you we would > probably have already met and signed each other's keys, if not there would > hopefully be some mutual friend who had exchanged key fingerprints with both > of us, and so on. But *neither* PGP key involved in the example lists the address "roconnor at jabber.org". Both of the keys are in fact the correct keys for the people involved. If (*IF*) you want to use the PGP WoT to sign OTR keys, at a minimum, you need to add your IM identity as an address to your PGP key, in some canonical format. Then people who signed that identity would be able to automatically trust that key to sign assertions *about the IM identity*. - Ian From otr at sdonag.plus.com Fri Jan 13 13:32:48 2006 From: otr at sdonag.plus.com (Michael Donaghy) Date: Fri, 13 Jan 2006 18:32:48 +0000 Subject: [OTR-dev] Key question In-Reply-To: <20060113143435.GD4463@smtp.paip.net> References: <1137078039.9318.12.camel@localhost.localdomain> <200601131041.54235.otr@sdonag.plus.com> <20060113143435.GD4463@smtp.paip.net> Message-ID: <200601131833.02291.otr@sdonag.plus.com> On Friday 13 Jan 2006 14:34, Ian Goldberg wrote: > On Fri, Jan 13, 2006 at 10:41:45AM +0000, Michael Donaghy wrote: > > I verify that I'm using the right key the same way I verify that the key > > I have for either of you is correct (Anyone can make a key with your > > email address on it) - by using the web of trust. If I knew either of you > > we would probably have already met and signed each other's keys, if not > > there would hopefully be some mutual friend who had exchanged key > > fingerprints with both of us, and so on. > > But *neither* PGP key involved in the example lists the address > "roconnor at jabber.org". Both of the keys are in fact the correct keys > for the people involved. So? It doesn't matter which of you signs the OTR key, as long as I trust whoever it is. If I've got your signature on the statement Jabber account: roconnor at jabber.org Fingerprint: E80BB592 1E3B491E FB5E5559 028D6F7C 9128F1A9 then it doesn't matter whether that account belongs to you - I trust you that that key belongs to that account, and I will use the key with that fingerprint when talking to roconnor at jabber.org, whoever that is. (If I didn't think you were reliable when signing other people's keys, your key wouldn't be set as trusted. I suppose the downside of this is that I need to set you as trusted in order to have a valid signature on your own IM key - but if I don't trust you to sign keys correctly, I probably don't trust you to give me a correct IM address) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From md401 at cam.ac.uk Fri Jan 13 14:17:19 2006 From: md401 at cam.ac.uk (Michael Donaghy) Date: Fri, 13 Jan 2006 19:17:19 +0000 Subject: [OTR-dev] Key question In-Reply-To: References: <1137078039.9318.12.camel@localhost.localdomain> <200601131041.54235.otr@sdonag.plus.com> Message-ID: <200601131917.27502.md401@cam.ac.uk> On Friday 13 Jan 2006 11:02, Len Sassaman wrote: > On Fri, 13 Jan 2006, Michael Donaghy wrote: > > I verify that I'm using the right key the same way I verify that the key > > I have for either of you is correct (Anyone can make a key with your > > email address on it) - by using the web of trust. If I knew either of you > > we would probably have already met and signed each other's keys, if not > > there would hopefully be some mutual friend who had exchanged key > > fingerprints with both of us, and so on. > > That presumes that trust is transitive. > No it doesn't, because a key is only trusted if you set it to be trusted. I trust Martin, so I set his key to have full trust. This means I see John's key as valid, since Martin has signed it. However, I don't see keys John has signed as valid as well, unless I manually set the trust on John's key to full. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From arodland at entermail.net Wed Jan 18 13:55:46 2006 From: arodland at entermail.net (Andrew Rodland) Date: Wed, 18 Jan 2006 13:55:46 -0500 Subject: [OTR-dev] Gaim 2.0 Update Message-ID: <200601181355.51319.arodland@entermail.net> There's been another small API update in Gaim CVS; this patch (applied on top of the gaim2 patch previously posted here) allows gaim-otr to compile again. I've also included the original patch in case someone needs it and doesn't want to hunt it down. Andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: gaim-otr-3.0.0-gaim2update.diff Type: text/x-diff Size: 825 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gaim-otr-3.0.0-gaim2.diff Type: text/x-diff Size: 5744 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From asm at CS.Stanford.EDU Thu Jan 19 15:55:44 2006 From: asm at CS.Stanford.EDU (Andrew S. Morrison) Date: Thu, 19 Jan 2006 12:55:44 -0800 Subject: [OTR-dev] Protocol Analysis Message-ID: <20060119205544.GC3846@xenon.Stanford.EDU> Myself and a partner are considering doing a formal security analysis of OTR over the next 3 months as part of a security protocols course at Stanford University. We will be modeling the system and using a formal analysis system such as Murphi or PRISM to analyze the OTR protocol. Does anyone on the list know if such a thing has been done previously? If so, are there any papers from the analysis that I could read? Also, would anyone be willing to talk with me for a few minutes about OTR and some of the design decisions? -- Andrew S. Morrison asm at cs.stanford.edu (650) 575 9261 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ian at cypherpunks.ca Thu Jan 19 16:17:20 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 19 Jan 2006 16:17:20 -0500 Subject: [OTR-dev] Protocol Analysis In-Reply-To: <20060119205544.GC3846@xenon.Stanford.EDU> References: <20060119205544.GC3846@xenon.Stanford.EDU> Message-ID: <20060119211720.GF31179@smtp.paip.net> On Thu, Jan 19, 2006 at 12:55:44PM -0800, Andrew S. Morrison wrote: > Myself and a partner are considering doing a formal security analysis of > OTR over the next 3 months as part of a security protocols course at > Stanford University. > > We will be modeling the system and using a formal analysis system such as > Murphi or PRISM to analyze the OTR protocol. Does anyone on the list know > if such a thing has been done previously? If so, are there any papers from > the analysis that I could read? Also, would anyone be willing to talk with > me for a few minutes about OTR and some of the design decisions? Very cool. There was a paper in the last WPES analysing the previous OTR protocol, which is what caused the protocol to change. ;-) It wasn't a formal analysis, though. I'd certainly be happy to talk with you; email , and we can do it off-list. [This week's a little busy for me, though.] - Ian From ian at cypherpunks.ca Fri Jan 20 10:17:42 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 20 Jan 2006 10:17:42 -0500 Subject: [OTR-dev] Gaim 2.0 Update In-Reply-To: <200601181355.51319.arodland@entermail.net> References: <200601181355.51319.arodland@entermail.net> Message-ID: <20060120151742.GG31179@smtp.paip.net> On Wed, Jan 18, 2006 at 01:55:46PM -0500, Andrew Rodland wrote: > @@ -437,7 +441,7 @@ > #if GAIM_MAJOR_VERSION < 2 > act = gaim_blist_node_action_new("OTR Settings", otr_options_cb, NULL); > #else > - act = gaim_blist_node_action_new("OTR Settings", otr_options_cb, NULL, NULL); > + act = gaim_menu_action_new("OTR Settings", otr_options_cb, NULL, NULL); > #endif > *menu = g_list_append(*menu, act); > } This can't be right. The type of the second parameter to gaim_menu_action_new isn't the same as the type of the second parameter to gaim_blist_node_action_new. The latter should be a void (*callback)(GaimBlistNode *, gpointer), which otr_options_cb is, but gaim_menu_action_new takes a GaimCallback, which is a void(*callback)(void) there instead. But looking through the gaim code, it seems that callback is actually called with arguments, so I guess just a typecast to (GaimCallback) in front of the second parameter is in order. Thanks for the patch, - Ian From evan.s at dreskin.net Tue Jan 24 10:07:12 2006 From: evan.s at dreskin.net (Evan Schoenberg) Date: Tue, 24 Jan 2006 10:07:12 -0500 Subject: [OTR-dev] Typo fix in error message Message-ID: Index: src/message.c =================================================================== --- src/message.c (revision 230) +++ src/message.c (working copy) @@ -830,7 +830,7 @@ break; } format = is_conflict ? "We received an unreadable " - "encrypted messahe from %s." : + "encrypted message from %s." : "We received a malformed data message from %s."; buf = malloc(strlen(format) + strlen(sender) - 1); if (buf) { -Evan -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: From arodland at entermail.net Tue Jan 24 13:21:40 2006 From: arodland at entermail.net (Andrew Rodland) Date: Tue, 24 Jan 2006 13:21:40 -0500 Subject: [OTR-dev] Gaim 2.0 Update In-Reply-To: <20060120151742.GG31179@smtp.paip.net> References: <200601181355.51319.arodland@entermail.net> <20060120151742.GG31179@smtp.paip.net> Message-ID: <200601241321.40896.arodland@entermail.net> On Friday 20 January 2006 10:17, Ian Goldberg wrote: > On Wed, Jan 18, 2006 at 01:55:46PM -0500, Andrew Rodland wrote: > > [snipped patch to bring gaim-otr 3 in line with new gaim 2.0 api] > This can't be right. The type of the second parameter to > gaim_menu_action_new isn't the same as the type of the second parameter > to gaim_blist_node_action_new. The latter should be a > void (*callback)(GaimBlistNode *, gpointer), which otr_options_cb is, > but gaim_menu_action_new takes a GaimCallback, which is a > void(*callback)(void) there instead. > > But looking through the gaim code, it seems that callback is actually > called with arguments, so I guess just a typecast to (GaimCallback) in > front of the second parameter is in order. > Yeah, that's pretty strange. I didn't dig too deeply into it; I just noticed that with my patch, the plugin compiles and the menu works, despite the pointer cast warning. Certainly I don't mind if someone does it "right", just providing the heads-up. Andrew From ian at cypherpunks.ca Tue Jan 24 14:58:02 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 24 Jan 2006 14:58:02 -0500 Subject: [OTR-dev] Typo fix in error message In-Reply-To: References: Message-ID: <20060124195802.GV31179@smtp.paip.net> On Tue, Jan 24, 2006 at 10:07:12AM -0500, Evan Schoenberg wrote: > - "encrypted messahe from %s." : > + "encrypted message from %s." : We'd already applied that patch, but thanks for the heads-up! :-) - Ian From asm at CS.Stanford.EDU Fri Jan 27 20:09:45 2006 From: asm at CS.Stanford.EDU (Andrew S. Morrison) Date: Fri, 27 Jan 2006 17:09:45 -0800 Subject: [OTR-dev] Protocol Clarification Message-ID: <20060128010945.GA17082@xenon.Stanford.EDU> In the "OTR Messaging Protocol Version 2" docs, the first transmission is stated to contain {g^x, HASH(g^x}. In the slides for WPES, it is stated to be {g^x, SIGN_A(g^x} and in the paper for WPES it is stated to be {g^{x_1}}. Where may I find the canonical protocol specification? -- Andrew S. Morrison asm at cs.stanford.edu (650) 575 9261 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ian at cypherpunks.ca Fri Jan 27 20:31:21 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 27 Jan 2006 20:31:21 -0500 Subject: [OTR-dev] Protocol Clarification In-Reply-To: <20060128010945.GA17082@xenon.Stanford.EDU> References: <20060128010945.GA17082@xenon.Stanford.EDU> Message-ID: <20060128013121.GB31179@smtp.paip.net> On Fri, Jan 27, 2006 at 05:09:45PM -0800, Andrew S. Morrison wrote: > In the "OTR Messaging Protocol Version 2" docs, the first transmission is > stated to contain {g^x, HASH(g^x}. In the slides for WPES, it is stated to > be {g^x, SIGN_A(g^x} and in the paper for WPES it is stated to be > {g^{x_1}}. Where may I find the canonical protocol specification? WPES was OTR protocol version 1. "Off-the-Record Messaging Protocol version 2" is the current spec, where it (correctly) says that the first message is { AES_r(g^x), HASH(g^x) }. - Ian