From snaggen@acc.umu.se Thu Jan 12 15:00:39 2006 From: snaggen@acc.umu.se (Mattias Eriksson) Date: Thu, 12 Jan 2006 16:00:39 +0100 Subject: [OTR-dev] Key question Message-ID: <1137078039.9318.12.camel@localhost.localdomain> I looked at the gaim-otr plugin, and this is a very nice thing. But why doesn't you use existing pgp-keys/trustdatabase? This way an organization needs to do the keysigning procedure all over... or most probably asume that the key is the right one (like everybody currently are doing with unknown ssh hosts). Are there any plans of adding the possibility to use existing pgpkeys? //Snaggen From ian@cypherpunks.ca Thu Jan 12 17:00:00 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 12 Jan 2006 12:00:00 -0500 Subject: [OTR-dev] Key question In-Reply-To: <1137078039.9318.12.camel@localhost.localdomain> References: <1137078039.9318.12.camel@localhost.localdomain> Message-ID: <20060112170000.GS4463@smtp.paip.net> On Thu, Jan 12, 2006 at 04:00:39PM +0100, Mattias Eriksson wrote: > I looked at the gaim-otr plugin, and this is a very nice thing. But why > doesn't you use existing pgp-keys/trustdatabase? This way an > organization needs to do the keysigning procedure all over... or most > probably asume that the key is the right one (like everybody currently > are doing with unknown ssh hosts). > > Are there any plans of adding the possibility to use existing pgpkeys? You can do this today. For example, http://www.r6.ca/russellotr.asc As always, you can leverage an existing trust mechanism to build another. Just sign your OTR keys with your PGP key, and put it online somewhere. Then anyone that trusts your PGP key can learn your OTR key in a verifiable way. Sometimes people ask if this can be done *automatically*, and the answer is "not usually", since most people don't have their IM account names listed on their PGP keys. How is software to know that the PGP key for "ian@cypherpunks.ca" is the one that should be used to check the signature on the OTR key for "otr4ian on AIM"? - Ian From md401@cam.ac.uk Thu Jan 12 22:39:33 2006 From: md401@cam.ac.uk (Michael Donaghy) Date: Thu, 12 Jan 2006 22:39:33 +0000 Subject: [OTR-dev] Key question In-Reply-To: <20060112170000.GS4463@smtp.paip.net> References: <1137078039.9318.12.camel@localhost.localdomain> <20060112170000.GS4463@smtp.paip.net> Message-ID: <200601122239.40695.md401@cam.ac.uk> --nextPart3032715.Z2dKzaVYm3 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline > Sometimes people ask if this can be done *automatically*, and the answer > is "not usually", since most people don't have their IM account names > listed on their PGP keys. How is software to know that the PGP key for > "ian@cypherpunks.ca" is the one that should be used to check the > signature on the OTR key for "otr4ian on AIM"? > The same way PGP knows the keys for "martin orr" and "lucinda lynx" are the= =20 ones to use for checking the signatures on my key. A pgp signature contains= =20 the ID of the signing key, so you can easily use the right key to check it,= =20 even downloading it off a keyserver if necessary. --nextPart3032715.Z2dKzaVYm3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2-ecc0.1.6 (GNU/Linux) iD8DBQBDxtqsseVxKm0DPWERA7SYAKCjh2jay6csbmn+lcmS9/d92Em3JACg2pS3 EcdEu1SjUDwob4OhncWl4ik= =eG0/ -----END PGP SIGNATURE----- --nextPart3032715.Z2dKzaVYm3-- From ian@cypherpunks.ca Fri Jan 13 01:21:32 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 12 Jan 2006 20:21:32 -0500 Subject: [OTR-dev] Key question In-Reply-To: <200601122239.40695.md401@cam.ac.uk> References: <1137078039.9318.12.camel@localhost.localdomain> <20060112170000.GS4463@smtp.paip.net> <200601122239.40695.md401@cam.ac.uk> Message-ID: <20060113012132.GC4463@smtp.paip.net> On Thu, Jan 12, 2006 at 10:39:33PM +0000, Michael Donaghy wrote: > > Sometimes people ask if this can be done *automatically*, and the answer > > is "not usually", since most people don't have their IM account names > > listed on their PGP keys. How is software to know that the PGP key for > > "ian@cypherpunks.ca" is the one that should be used to check the > > signature on the OTR key for "otr4ian on AIM"? > > > The same way PGP knows the keys for "martin orr" and "lucinda lynx" are the > ones to use for checking the signatures on my key. A pgp signature contains > the ID of the signing key, so you can easily use the right key to check it, > even downloading it off a keyserver if necessary. No, no. Perhaps I wasn't clear. The problem isn't in figuring out which PGP key to use to *validate* the signature; as you point out, that information is carried with the signature. The problem is in figuring out which PGP key should be used to *trust* the signature. For example, I present two PGP-signed OTR keys, both claiming to be a signature for "roconnor@jabber.org": -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jabber account: roconnor@jabber.org Fingerprint: E80BB592 1E3B491E FB5E5559 028D6F7C 9128F1A9 AIM account: (Jabber is prefered) Fingerprint: 3D1F0B07 5A17682B CDB4DB6E 03DB7D45 39B09E9C MSN account: (Jabber is prefered) Fingerprint: 00D7B679 5C1BD5E0 3D9DD068 ADDBEA35 E75F9223 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB/MtxLRF4Sn+WLTcRAuQtAJ9RMPwuWAnCdw7DDgD4vdNrFxlb5ACeMkhQ G1zka43rlhv5w2cs0BIh+JU= =NVhC -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Jabber account: roconnor@jabber.org Fingerprint: A9D70580 72FC7401 25899589 4CD3CD12 E792C538 AIM account: (Jabber is prefered) Fingerprint: C5D70FB3 135CB595 F2F31E01 88884CEF BDD73BD9 MSN account: (Jabber is prefered) Fingerprint: EE2AE8B1 AC6F3210 6F85C697 FE83F039 8D0A390D -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQ8b+OkZRiTErSPb1AQG46wP/T8bs0hPgR/NV0NuKUcIcubd0DJvpLZMW h7U34ABmtQN6TAMDlgdqxW3e/OPjG6QRnoKEPnrR9RYW+aXil2uLg8U7BRnGecLj rRljF+VdRQR6jod2MRZFqpl+nULsEqL3iSkxkFM5j90rzT+/uJFsbQS7WRrr1TO4 nusfeIZCZvE= =B/kX -----END PGP SIGNATURE----- It's easy, as you say, to figure out which PGP keys to use to verify the sigs (and, in fact, both sigs check out). But what is roconnor@jabber.org's real OTR fingerprint? How do you know? - Ian From otr@sdonag.plus.com Fri Jan 13 10:41:45 2006 From: otr@sdonag.plus.com (Michael Donaghy) Date: Fri, 13 Jan 2006 10:41:45 +0000 Subject: [OTR-dev] Key question In-Reply-To: <20060113012132.GC4463@smtp.paip.net> References: <1137078039.9318.12.camel@localhost.localdomain> <200601122239.40695.md401@cam.ac.uk> <20060113012132.GC4463@smtp.paip.net> Message-ID: <200601131041.54235.otr@sdonag.plus.com> --nextPart27091381.qX4r7E8jpj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 13 Jan 2006 01:21, Ian Goldberg wrote: > On Thu, Jan 12, 2006 at 10:39:33PM +0000, Michael Donaghy wrote: > > > Sometimes people ask if this can be done *automatically*, and the > > > answer is "not usually", since most people don't have their IM account > > > names listed on their PGP keys. How is software to know that the PGP > > > key for "ian@cypherpunks.ca" is the one that should be used to check > > > the signature on the OTR key for "otr4ian on AIM"? > > > > The same way PGP knows the keys for "martin orr" and "lucinda lynx" are > > the ones to use for checking the signatures on my key. A pgp signature > > contains the ID of the signing key, so you can easily use the right key > > to check it, even downloading it off a keyserver if necessary. > > No, no. Perhaps I wasn't clear. The problem isn't in figuring out > which PGP key to use to *validate* the signature; as you point out, that > information is carried with the signature. The problem is in figuring > out which PGP key should be used to *trust* the signature. > > For example, I present two PGP-signed OTR keys, both claiming to be a > signature for "roconnor@jabber.org": > =20 > > It's easy, as you say, to figure out which PGP keys to use to > verify the sigs (and, in fact, both sigs check out). But what is > roconnor@jabber.org's real OTR fingerprint? How do you know? > I verify that I'm using the right key the same way I verify that the key I= =20 have for either of you is correct (Anyone can make a key with your email=20 address on it) - by using the web of trust. If I knew either of you we woul= d=20 probably have already met and signed each other's keys, if not there would= =20 hopefully be some mutual friend who had exchanged key fingerprints with bot= h=20 of us, and so on. --nextPart27091381.qX4r7E8jpj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2-ecc0.1.6 (GNU/Linux) iD8DBQBDx4PyseVxKm0DPWERAzLzAJ9m8IxO1lAogRFw1VvTLzjFED5A6ACfTpdK 2rhxEn0LQy+C9ySmDp4tXes= =USPN -----END PGP SIGNATURE----- --nextPart27091381.qX4r7E8jpj-- From rabbi@abditum.com Fri Jan 13 11:02:15 2006 From: rabbi@abditum.com (Len Sassaman) Date: Fri, 13 Jan 2006 03:02:15 -0800 (PST) Subject: [OTR-dev] Key question In-Reply-To: <200601131041.54235.otr@sdonag.plus.com> References: <1137078039.9318.12.camel@localhost.localdomain> <200601122239.40695.md401@cam.ac.uk> <20060113012132.GC4463@smtp.paip.net> <200601131041.54235.otr@sdonag.plus.com> Message-ID: On Fri, 13 Jan 2006, Michael Donaghy wrote: > I verify that I'm using the right key the same way I verify that the key I > have for either of you is correct (Anyone can make a key with your email > address on it) - by using the web of trust. If I knew either of you we would > probably have already met and signed each other's keys, if not there would > hopefully be some mutual friend who had exchanged key fingerprints with both > of us, and so on. That presumes that trust is transitive. (Yes, I am asserting that the web of trust is insecure. I am pleased that the OTR developers have not carried its weaknesses over to OTR.)) From ian@cypherpunks.ca Fri Jan 13 14:34:35 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 13 Jan 2006 09:34:35 -0500 Subject: [OTR-dev] Key question In-Reply-To: <200601131041.54235.otr@sdonag.plus.com> References: <1137078039.9318.12.camel@localhost.localdomain> <200601122239.40695.md401@cam.ac.uk> <20060113012132.GC4463@smtp.paip.net> <200601131041.54235.otr@sdonag.plus.com> Message-ID: <20060113143435.GD4463@smtp.paip.net> On Fri, Jan 13, 2006 at 10:41:45AM +0000, Michael Donaghy wrote: > I verify that I'm using the right key the same way I verify that the key I > have for either of you is correct (Anyone can make a key with your email > address on it) - by using the web of trust. If I knew either of you we would > probably have already met and signed each other's keys, if not there would > hopefully be some mutual friend who had exchanged key fingerprints with both > of us, and so on. But *neither* PGP key involved in the example lists the address "roconnor@jabber.org". Both of the keys are in fact the correct keys for the people involved. If (*IF*) you want to use the PGP WoT to sign OTR keys, at a minimum, you need to add your IM identity as an address to your PGP key, in some canonical format. Then people who signed that identity would be able to automatically trust that key to sign assertions *about the IM identity*. - Ian From otr@sdonag.plus.com Fri Jan 13 18:32:48 2006 From: otr@sdonag.plus.com (Michael Donaghy) Date: Fri, 13 Jan 2006 18:32:48 +0000 Subject: [OTR-dev] Key question In-Reply-To: <20060113143435.GD4463@smtp.paip.net> References: <1137078039.9318.12.camel@localhost.localdomain> <200601131041.54235.otr@sdonag.plus.com> <20060113143435.GD4463@smtp.paip.net> Message-ID: <200601131833.02291.otr@sdonag.plus.com> --nextPart9994537.eBnlcem0lp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 13 Jan 2006 14:34, Ian Goldberg wrote: > On Fri, Jan 13, 2006 at 10:41:45AM +0000, Michael Donaghy wrote: > > I verify that I'm using the right key the same way I verify that the key > > I have for either of you is correct (Anyone can make a key with your > > email address on it) - by using the web of trust. If I knew either of y= ou > > we would probably have already met and signed each other's keys, if not > > there would hopefully be some mutual friend who had exchanged key > > fingerprints with both of us, and so on. > > But *neither* PGP key involved in the example lists the address > "roconnor@jabber.org". Both of the keys are in fact the correct keys > for the people involved. So? It doesn't matter which of you signs the OTR key, as long as I trust=20 whoever it is. If I've got your signature on the statement=20 Jabber account: roconnor@jabber.org =46ingerprint: E80BB592 1E3B491E FB5E5559 028D6F7C 9128F1A9 then it doesn't matter whether that account belongs to you - I trust you th= at=20 that key belongs to that account, and I will use the key with that=20 fingerprint when talking to roconnor@jabber.org, whoever that is. (If I=20 didn't think you were reliable when signing other people's keys, your key=20 wouldn't be set as trusted. I suppose the downside of this is that I need t= o=20 set you as trusted in order to have a valid signature on your own IM key -= =20 but if I don't trust you to sign keys correctly, I probably don't trust you= =20 to give me a correct IM address) --nextPart9994537.eBnlcem0lp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2-ecc0.1.6 (GNU/Linux) iD8DBQBDx/JeseVxKm0DPWERA+2mAKCk6WPl1lFzQshRIkRwTmuyWqvhywCfbCZN JB1z3ZPZRfibnGimaWgYE1U= =W5Vk -----END PGP SIGNATURE----- --nextPart9994537.eBnlcem0lp-- From md401@cam.ac.uk Fri Jan 13 19:17:19 2006 From: md401@cam.ac.uk (Michael Donaghy) Date: Fri, 13 Jan 2006 19:17:19 +0000 Subject: [OTR-dev] Key question In-Reply-To: References: <1137078039.9318.12.camel@localhost.localdomain> <200601131041.54235.otr@sdonag.plus.com> Message-ID: <200601131917.27502.md401@cam.ac.uk> --nextPart2597938.oIrdz0CFPA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 13 Jan 2006 11:02, Len Sassaman wrote: > On Fri, 13 Jan 2006, Michael Donaghy wrote: > > I verify that I'm using the right key the same way I verify that the key > > I have for either of you is correct (Anyone can make a key with your > > email address on it) - by using the web of trust. If I knew either of y= ou > > we would probably have already met and signed each other's keys, if not > > there would hopefully be some mutual friend who had exchanged key > > fingerprints with both of us, and so on. > > That presumes that trust is transitive. > No it doesn't, because a key is only trusted if you set it to be trusted. I= =20 trust Martin, so I set his key to have full trust. This means I see John's= =20 key as valid, since Martin has signed it. However, I don't see keys John ha= s=20 signed as valid as well, unless I manually set the trust on John's key to=20 full. --nextPart2597938.oIrdz0CFPA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2-ecc0.1.6 (GNU/Linux) iD8DBQBDx/zHseVxKm0DPWERAxgeAJ9iMg55Al0md+Ebq+cD8/1jUXyv6QCgvWKH WAQjtSaxM7YssU0MNlxNMOM= =2ZDF -----END PGP SIGNATURE----- --nextPart2597938.oIrdz0CFPA-- From arodland@entermail.net Wed Jan 18 18:55:46 2006 From: arodland@entermail.net (Andrew Rodland) Date: Wed, 18 Jan 2006 13:55:46 -0500 Subject: [OTR-dev] Gaim 2.0 Update Message-ID: <200601181355.51319.arodland@entermail.net> --nextPart13711608.lb3OneUd9T Content-Type: multipart/mixed; boundary="Boundary-01=_y8ozDnkCnR0fJ/6" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_y8ozDnkCnR0fJ/6 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline There's been another small API update in Gaim CVS; this patch (applied on t= op=20 of the gaim2 patch previously posted here) allows gaim-otr to compile again= =2E=20 I've also included the original patch in case someone needs it and doesn't= =20 want to hunt it down. Andrew --Boundary-01=_y8ozDnkCnR0fJ/6 Content-Type: text/x-diff; charset="us-ascii"; name="gaim-otr-3.0.0-gaim2update.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="gaim-otr-3.0.0-gaim2update.diff" diff -rNu gaim-otr-3.0.0/otr-plugin.c gaim-otr-3.0.0+gaim2/otr-plugin.c --- gaim-otr-3.0.0/otr-plugin.c 2005-11-17 14:36:28.498903000 -0500 +++ gaim-otr-3.0.0+gaim2/otr-plugin.c 2006-01-18 13:49:45.203668464 -0500 @@ -420,7 +420,11 @@ static void supply_extended_menu(GaimBlistNode *node, GList **menu) { +#if GAIM_MAJOR_VERSION < 2 GaimBlistNodeAction *act; +#else + GaimMenuAction *act; +#endif GaimBuddy *buddy; GaimAccount *acct; const char *proto; @@ -437,7 +441,7 @@ #if GAIM_MAJOR_VERSION < 2 act = gaim_blist_node_action_new("OTR Settings", otr_options_cb, NULL); #else - act = gaim_blist_node_action_new("OTR Settings", otr_options_cb, NULL, NULL); + act = gaim_menu_action_new("OTR Settings", otr_options_cb, NULL, NULL); #endif *menu = g_list_append(*menu, act); } --Boundary-01=_y8ozDnkCnR0fJ/6 Content-Type: text/x-diff; charset="us-ascii"; name="gaim-otr-3.0.0-gaim2.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="gaim-otr-3.0.0-gaim2.diff" diff -Naur gaim-otr-3.0.0/gtk-dialog.c gaim-otr-3.0.0-gaim2/gtk-dialog.c =2D-- gaim-otr-3.0.0/gtk-dialog.c 2005-10-27 23:38:21.000000000 -0400 +++ gaim-otr-3.0.0-gaim2/gtk-dialog.c 2005-11-16 20:23:59.000000000 -0500 @@ -33,6 +33,7 @@ #include "gtkutils.h" #include "gtkimhtml.h" #include "util.h" +#include "version.h" =20 /* libotr headers */ #include @@ -779,7 +780,11 @@ account =3D gaim_accounts_find(accountname, protocol); if (!account) return -1; =20 +#if GAIM_MAJOR_VERSION < 2 conv =3D gaim_find_conversation_with_account(username, account); +#else + conv =3D gaim_find_conversation_with_account(GAIM_CONV_TYPE_IM, userna= me, account); +#endif if (!conv) return -1; =20 gaim_conversation_write(conv, NULL, msg, GAIM_MESSAGE_SYSTEM, time(NUL= L)); @@ -968,7 +973,11 @@ =20 account =3D gaim_accounts_find(context->accountname, context->protocol= ); if (!account) return; +#if GAIM_MAJOR_VERSION < 2 conv =3D gaim_find_conversation_with_account(context->username, accoun= t); +#else + conv =3D gaim_find_conversation_with_account(GAIM_CONV_TYPE_IM, contex= t->username, account); +#endif if (!conv) return; dialog_update_label_conv(conv, level); } @@ -1252,7 +1261,11 @@ account =3D gaim_accounts_find(accountname, protocol); if (!account) return; =20 +#if GAIM_MAJOR_VERSION < 2 conv =3D gaim_find_conversation_with_account(username, account); +#else + conv =3D gaim_find_conversation_with_account(GAIM_CONV_TYPE_IM, userna= me, account); +#endif if (!conv) return; =20 buf =3D g_strdup_printf("%s has ended his private conversation with yo= u; " @@ -1406,9 +1419,13 @@ GtkWidget *whatsthis; =20 /* Do nothing if this isn't an IM conversation */ +#if GAIM_MAJOR_VERSION < 2 if (gaim_conversation_get_type(conv) !=3D GAIM_CONV_IM) return; =2D bbox =3D gtkconv->bbox; +#else + if (gaim_conversation_get_type(conv) !=3D GAIM_CONV_TYPE_IM) return; + bbox =3D gtkconv->lower_hbox; +#endif =20 context =3D otrg_plugin_conv_to_context(conv); =20 @@ -1515,7 +1532,11 @@ GtkWidget *button; =20 /* Do nothing if this isn't an IM conversation */ +#if GAIM_MAJOR_VERSION < 2 if (gaim_conversation_get_type(conv) !=3D GAIM_CONV_IM) return; +#else + if (gaim_conversation_get_type(conv) !=3D GAIM_CONV_TYPE_IM) return; +#endif =20 button =3D gaim_conversation_get_data(conv, "otr-button"); if (button) gtk_object_destroy(GTK_OBJECT(button)); @@ -1531,7 +1552,11 @@ OtrlPolicy policy; =20 /* Do nothing if this isn't an IM conversation */ +#if GAIM_MAJOR_VERSION < 2 if (gaim_conversation_get_type(conv) !=3D GAIM_CONV_IM) return; +#else + if (gaim_conversation_get_type(conv) !=3D GAIM_CONV_TYPE_IM) return; +#endif =20 account =3D gaim_conversation_get_account(conv); name =3D gaim_conversation_get_name(conv); diff -Naur gaim-otr-3.0.0/otr-plugin.c gaim-otr-3.0.0-gaim2/otr-plugin.c =2D-- gaim-otr-3.0.0/otr-plugin.c 2005-10-27 12:01:59.000000000 -0400 +++ gaim-otr-3.0.0-gaim2/otr-plugin.c 2005-11-15 21:08:51.000000000 -0500 @@ -32,11 +32,11 @@ =20 /* gaim headers */ #include "gaim.h" =2D#include "core.h" #include "notify.h" #include "version.h" #include "util.h" #include "debug.h" +#include "core.h" =20 #ifdef USING_GTK /* gaim GTK headers */ @@ -156,7 +156,11 @@ buddy =3D gaim_find_buddy(account, recipient); if (!buddy) return -1; =20 +#if GAIM_MAJOR_VERSION < 2 return (buddy->present =3D=3D GAIM_BUDDY_ONLINE); +#else + return (GAIM_BUDDY_IS_ONLINE(buddy)); +#endif } =20 static void inject_message_cb(void *opdata, const char *accountname, @@ -430,7 +434,11 @@ proto =3D gaim_account_get_protocol_id(acct); if (!otrg_plugin_proto_supports_otr(proto)) return; =20 +#if GAIM_MAJOR_VERSION < 2 act =3D gaim_blist_node_action_new("OTR Settings", otr_options_cb, NUL= L); +#else + act =3D gaim_blist_node_action_new("OTR Settings", otr_options_cb, NUL= L, NULL); +#endif *menu =3D g_list_append(*menu, act); } =20 @@ -482,9 +490,17 @@ account =3D gaim_accounts_find(context->accountname, context->protocol= ); if (account =3D=3D NULL) return NULL; =20 +#if GAIM_MAJOR_VERSION < 2 conv =3D gaim_find_conversation_with_account(context->username, accoun= t); +#else + conv =3D gaim_find_conversation_with_account(GAIM_CONV_TYPE_IM, contex= t->username, account); +#endif if (conv =3D=3D NULL && force_create) { +#if GAIM_MAJOR_VERSION < 2 conv =3D gaim_conversation_new(GAIM_CONV_IM, account, context->username); +#else + conv =3D gaim_conversation_new(GAIM_CONV_TYPE_IM, account, context->usern= ame); +#endif } =20 return conv; @@ -567,9 +583,15 @@ GAIM_CALLBACK(process_connection_change), NULL); gaim_signal_connect(blist_handle, "blist-node-extended-menu", otrg_plugin_handle, GAIM_CALLBACK(supply_extended_menu), NULL); +#if GAIM_MAJOR_VERSION < 2 button_type_cbid =3D gaim_prefs_connect_callback( "/gaim/gtk/conversations/button_type", process_button_type_change, NULL); +#else + button_type_cbid =3D gaim_prefs_connect_callback(NULL, + "/gaim/gtk/conversations/button_type", + process_button_type_change, NULL); +#endif =20 gaim_conversation_foreach(otrg_dialog_new_conv); =20 @@ -642,7 +664,12 @@ =20 /* We stick with the functions in the gaim 1.0.x API for * compatibility. */ =2D 1, /* major version */ +#if GAIM_MAJOR_VERSION < 2 + 1, /* major version= */ +#else + /* The 2.0.x API is causing no trouble - Dustin */ + 2, /* major version= */ +#endif 0, /* minor version */ =20 GAIM_PLUGIN_STANDARD, /* type */ --Boundary-01=_y8ozDnkCnR0fJ/6-- --nextPart13711608.lb3OneUd9T Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQBDzo836xdpaulLLFURArMhAJ490TIKAG2N73cJDcXHVs8vAjeKTgCfZ0mI Qg+aP8EO15iT5qbU7eYfD6Q= =wwN4 -----END PGP SIGNATURE----- --nextPart13711608.lb3OneUd9T-- From asm@CS.Stanford.EDU Thu Jan 19 20:55:44 2006 From: asm@CS.Stanford.EDU (Andrew S. Morrison) Date: Thu, 19 Jan 2006 12:55:44 -0800 Subject: [OTR-dev] Protocol Analysis Message-ID: <20060119205544.GC3846@xenon.Stanford.EDU> --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Myself and a partner are considering doing a formal security analysis of OTR over the next 3 months as part of a security protocols course at Stanford University. We will be modeling the system and using a formal analysis system such as Murphi or PRISM to analyze the OTR protocol. Does anyone on the list know if such a thing has been done previously? If so, are there any papers from the analysis that I could read? Also, would anyone be willing to talk with me for a few minutes about OTR and some of the design decisions? --=20 Andrew S. Morrison asm@cs.stanford.edu (650) 575 9261 --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFDz/zQF3ck4uEX/ycRAvonAJ0YTSvEkY7LPfX6ureOE32P+fFhgQCgoyiV 2RJoWnTVt/ziuApbcxXrZ+Q= =zGEt -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- From ian@cypherpunks.ca Thu Jan 19 21:17:20 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 19 Jan 2006 16:17:20 -0500 Subject: [OTR-dev] Protocol Analysis In-Reply-To: <20060119205544.GC3846@xenon.Stanford.EDU> References: <20060119205544.GC3846@xenon.Stanford.EDU> Message-ID: <20060119211720.GF31179@smtp.paip.net> On Thu, Jan 19, 2006 at 12:55:44PM -0800, Andrew S. Morrison wrote: > Myself and a partner are considering doing a formal security analysis of > OTR over the next 3 months as part of a security protocols course at > Stanford University. > > We will be modeling the system and using a formal analysis system such as > Murphi or PRISM to analyze the OTR protocol. Does anyone on the list know > if such a thing has been done previously? If so, are there any papers from > the analysis that I could read? Also, would anyone be willing to talk with > me for a few minutes about OTR and some of the design decisions? Very cool. There was a paper in the last WPES analysing the previous OTR protocol, which is what caused the protocol to change. ;-) It wasn't a formal analysis, though. I'd certainly be happy to talk with you; email , and we can do it off-list. [This week's a little busy for me, though.] - Ian From ian@cypherpunks.ca Fri Jan 20 15:17:42 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 20 Jan 2006 10:17:42 -0500 Subject: [OTR-dev] Gaim 2.0 Update In-Reply-To: <200601181355.51319.arodland@entermail.net> References: <200601181355.51319.arodland@entermail.net> Message-ID: <20060120151742.GG31179@smtp.paip.net> On Wed, Jan 18, 2006 at 01:55:46PM -0500, Andrew Rodland wrote: > @@ -437,7 +441,7 @@ > #if GAIM_MAJOR_VERSION < 2 > act = gaim_blist_node_action_new("OTR Settings", otr_options_cb, NULL); > #else > - act = gaim_blist_node_action_new("OTR Settings", otr_options_cb, NULL, NULL); > + act = gaim_menu_action_new("OTR Settings", otr_options_cb, NULL, NULL); > #endif > *menu = g_list_append(*menu, act); > } This can't be right. The type of the second parameter to gaim_menu_action_new isn't the same as the type of the second parameter to gaim_blist_node_action_new. The latter should be a void (*callback)(GaimBlistNode *, gpointer), which otr_options_cb is, but gaim_menu_action_new takes a GaimCallback, which is a void(*callback)(void) there instead. But looking through the gaim code, it seems that callback is actually called with arguments, so I guess just a typecast to (GaimCallback) in front of the second parameter is in order. Thanks for the patch, - Ian From evan.s@dreskin.net Tue Jan 24 15:07:12 2006 From: evan.s@dreskin.net (Evan Schoenberg) Date: Tue, 24 Jan 2006 10:07:12 -0500 Subject: [OTR-dev] Typo fix in error message Message-ID: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-18-894242582 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Index: src/message.c =================================================================== --- src/message.c (revision 230) +++ src/message.c (working copy) @@ -830,7 +830,7 @@ break; } format = is_conflict ? "We received an unreadable " - "encrypted messahe from %s." : + "encrypted message from %s." : "We received a malformed data message from %s."; buf = malloc(strlen(format) + strlen(sender) - 1); if (buf) { -Evan --Apple-Mail-18-894242582 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD1kKgI5gp6xQhrvcRAv4JAJsHPqkynrP0WaiT8MaMeVeR4L3FVQCgtTIc bl0tBFm0wFTdzMbD1t1FqVM= =UJyx -----END PGP SIGNATURE----- --Apple-Mail-18-894242582-- From arodland@entermail.net Tue Jan 24 18:21:40 2006 From: arodland@entermail.net (Andrew Rodland) Date: Tue, 24 Jan 2006 13:21:40 -0500 Subject: [OTR-dev] Gaim 2.0 Update In-Reply-To: <20060120151742.GG31179@smtp.paip.net> References: <200601181355.51319.arodland@entermail.net> <20060120151742.GG31179@smtp.paip.net> Message-ID: <200601241321.40896.arodland@entermail.net> On Friday 20 January 2006 10:17, Ian Goldberg wrote: > On Wed, Jan 18, 2006 at 01:55:46PM -0500, Andrew Rodland wrote: > > [snipped patch to bring gaim-otr 3 in line with new gaim 2.0 api] > This can't be right. The type of the second parameter to > gaim_menu_action_new isn't the same as the type of the second parameter > to gaim_blist_node_action_new. The latter should be a > void (*callback)(GaimBlistNode *, gpointer), which otr_options_cb is, > but gaim_menu_action_new takes a GaimCallback, which is a > void(*callback)(void) there instead. > > But looking through the gaim code, it seems that callback is actually > called with arguments, so I guess just a typecast to (GaimCallback) in > front of the second parameter is in order. > Yeah, that's pretty strange. I didn't dig too deeply into it; I just noticed that with my patch, the plugin compiles and the menu works, despite the pointer cast warning. Certainly I don't mind if someone does it "right", just providing the heads-up. Andrew From ian@cypherpunks.ca Tue Jan 24 19:58:02 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Tue, 24 Jan 2006 14:58:02 -0500 Subject: [OTR-dev] Typo fix in error message In-Reply-To: References: Message-ID: <20060124195802.GV31179@smtp.paip.net> On Tue, Jan 24, 2006 at 10:07:12AM -0500, Evan Schoenberg wrote: > - "encrypted messahe from %s." : > + "encrypted message from %s." : We'd already applied that patch, but thanks for the heads-up! :-) - Ian From asm@CS.Stanford.EDU Sat Jan 28 01:09:45 2006 From: asm@CS.Stanford.EDU (Andrew S. Morrison) Date: Fri, 27 Jan 2006 17:09:45 -0800 Subject: [OTR-dev] Protocol Clarification Message-ID: <20060128010945.GA17082@xenon.Stanford.EDU> --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In the "OTR Messaging Protocol Version 2" docs, the first transmission is stated to contain {g^x, HASH(g^x}. In the slides for WPES, it is stated to be {g^x, SIGN_A(g^x} and in the paper for WPES it is stated to be {g^{x_1}}. Where may I find the canonical protocol specification? --=20 Andrew S. Morrison asm@cs.stanford.edu (650) 575 9261 --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFD2sRZF3ck4uEX/ycRAlTdAJ9VekCI4Mw8S5CqyLLLZBMEhp1SvwCguBSd 3gnXFDOPUgqPl9TcfHSzwoI= =Ha4i -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- From ian@cypherpunks.ca Sat Jan 28 01:31:21 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 27 Jan 2006 20:31:21 -0500 Subject: [OTR-dev] Protocol Clarification In-Reply-To: <20060128010945.GA17082@xenon.Stanford.EDU> References: <20060128010945.GA17082@xenon.Stanford.EDU> Message-ID: <20060128013121.GB31179@smtp.paip.net> On Fri, Jan 27, 2006 at 05:09:45PM -0800, Andrew S. Morrison wrote: > In the "OTR Messaging Protocol Version 2" docs, the first transmission is > stated to contain {g^x, HASH(g^x}. In the slides for WPES, it is stated to > be {g^x, SIGN_A(g^x} and in the paper for WPES it is stated to be > {g^{x_1}}. Where may I find the canonical protocol specification? WPES was OTR protocol version 1. "Off-the-Record Messaging Protocol version 2" is the current spec, where it (correctly) says that the first message is { AES_r(g^x), HASH(g^x) }. - Ian