From jcohen07@brandeis.edu Tue May 3 23:59:05 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Tue, 03 May 2005 18:59:05 -0400 Subject: [OTR-users] Re: [OTR-announce] New OTR software, and other news In-Reply-To: <20050503215815.GT1071@smtp.paip.net> References: <20050503215815.GT1071@smtp.paip.net> Message-ID: <42780239.7080003@brandeis.edu> gaim-otr-2.0.2 fixed conflicts between gaim-encrypt and OTR when both plugins are enabled. Thanks! Jason Ian Goldberg wrote: > - gaim-otr-2.0.2 and libotr-2.0.2 released. Changes from 2.0.1: >* - Fix to co-exist more nicely with other encrypting gaim plugins.* > - gaim-otr is now autoconfiscated, thanks to Greg Troxel. > > - Ian >_______________________________________________ >OTR-announce mailing list >OTR-announce@lists.cypherpunks.ca >http://lists.cypherpunks.ca/mailman/listinfo/otr-announce > > From Laura Traversa Wed May 4 20:22:00 2005 From: Laura Traversa (Laura Traversa) Date: Wed, 4 May 2005 21:22:00 +0200 Subject: [OTR-users] (no subject) Message-ID: From ian@cypherpunks.ca Fri May 6 00:12:58 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 5 May 2005 19:12:58 -0400 Subject: [OTR-users] Trillian + otrproxy screenshots? Message-ID: <20050505231258.GC1071@smtp.paip.net> Can any of you Trillian + otrproxy users send some instructions (and maybe screenshots?) on how to install / configure it? The trickiest bit seems to be how to configure the per-protocol proxy settings in Trillian. Thanks, - Ian From ian@cypherpunks.ca Wed May 11 19:18:34 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Wed, 11 May 2005 14:18:34 -0400 Subject: [OTR-users] What distros ship with OTR software? Message-ID: <20050511181834.GX1071@smtp.paip.net> I'm making a list of distros that ship with OTR software. So far, I've got Gentoo, Debian sarge, Debian unstable, Ubuntu Breezy, FreeBSD, and NetBSD. Does anyone have pointers to ones I've missed? Also, is anyone aware of an IM client other than Adium X which supports OTR natively? Thanks, - Ian From rguerra@lists.privaterra.org Wed May 11 22:17:25 2005 From: rguerra@lists.privaterra.org (Robert Guerra) Date: Wed, 11 May 2005 17:17:25 -0400 Subject: [OTR-users] What distros ship with OTR software? In-Reply-To: <20050511181834.GX1071@smtp.paip.net> References: <20050511181834.GX1071@smtp.paip.net> Message-ID: <30A9D980-7A52-43F4-A938-E31876984010@lists.privaterra.org> Ian: it would be great to have OTR added in the next update/release Ubuntu linux. It's an up and coming distro that is quite nice. http://www.ubuntulinux.org/ regards Robert On 11-May-05, at 2:18 PM, Ian Goldberg wrote: > I'm making a list of distros that ship with OTR software. So far, > I've > got Gentoo, Debian sarge, Debian unstable, Ubuntu Breezy, FreeBSD, and > NetBSD. > > Does anyone have pointers to ones I've missed? > > Also, is anyone aware of an IM client other than Adium X which > supports > OTR natively? > > Thanks, > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users@lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From kat@paip.net Wed May 11 22:23:00 2005 From: kat@paip.net (Kat Hanna) Date: Wed, 11 May 2005 17:23:00 -0400 (EDT) Subject: [OTR-users] What distros ship with OTR software? In-Reply-To: <30A9D980-7A52-43F4-A938-E31876984010@lists.privaterra.org> References: <20050511181834.GX1071@smtp.paip.net> <30A9D980-7A52-43F4-A938-E31876984010@lists.privaterra.org> Message-ID: Your wish is granted! That was easy. ;-) See below - Breezy is the next release, and OTR is in it. -Kat On Wed, 11 May 2005, Robert Guerra wrote: > Ian: > > it would be great to have OTR added in the next update/release Ubuntu > linux. It's an up and coming distro that is quite nice. > > http://www.ubuntulinux.org/ > > regards > > Robert > > On 11-May-05, at 2:18 PM, Ian Goldberg wrote: > > > I'm making a list of distros that ship with OTR software. So far, > > I've > > got Gentoo, Debian sarge, Debian unstable, Ubuntu Breezy, FreeBSD, and > > NetBSD. > > > > Does anyone have pointers to ones I've missed? > > > > Also, is anyone aware of an IM client other than Adium X which > > supports > > OTR natively? > > > > Thanks, > > > > - Ian > > _______________________________________________ > > OTR-users mailing list > > OTR-users@lists.cypherpunks.ca > > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > > > > _______________________________________________ > OTR-users mailing list > OTR-users@lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From gdt@ir.bbn.com Thu May 12 13:29:12 2005 From: gdt@ir.bbn.com (Greg Troxel) Date: 12 May 2005 08:29:12 -0400 Subject: [OTR-users] What distros ship with OTR software? In-Reply-To: <20050511181834.GX1071@smtp.paip.net> References: <20050511181834.GX1071@smtp.paip.net> Message-ID: Ian Goldberg writes: > I'm making a list of distros that ship with OTR software. So far, I've > got Gentoo, Debian sarge, Debian unstable, Ubuntu Breezy, FreeBSD, and > NetBSD. I think of "distro" as short for "Linux distribution", so I wouldn't use that word to apply to BSD, but I know what you mean. otr, and gaim-otr, are in NetBSD pkgsrc, but of course not in the base system. So "ship with" is true if you include pkgsrc, and it does make sense to include it, since the base system is (intentionally) fairly sparse. pkgsrc can be used on a huge list of operating systems - pretty much all modern relevant ones. Sun just donated servers to NetBSD, to run Solaris and be used to support pkgsrc on Solaris: http://www.netbsd.org/Foundation/press/sun-donation.html So while Solaris probably can't be said to "ship with" pkgsrc, it's a pretty easy way for Solaris users to get otr (and more importantly gaim, since gaim is much harder to compile by hand due to sheer number of dependencies). -- Greg Troxel From aldert@rotz.org Thu May 12 20:12:52 2005 From: aldert@rotz.org (Aldert J.B.P. Hazenberg) Date: Thu, 12 May 2005 21:12:52 +0200 Subject: [OTR-users] Works fine : Gaim 1.3.0 and OTR plugin for gaim 2.0.2 In-Reply-To: <20050511181834.GX1071@smtp.paip.net> References: <20050511181834.GX1071@smtp.paip.net> Message-ID: <4283AAB4.6020806@rotz.org> Hi, Gaim 1.3.0 was released 2 days ago : http://gaim.sourceforge.net/ It fixes a security bug or 2 so its a good idea to upgrade... http://gaim.sourceforge.net/security/index.php I downloaded the windows version and installed the OTR plugin for gaim version 2.0.2 available from the cypherpunks.ca website as well : http://www.cypherpunks.ca/otr/binaries/windows/gaim-otr-2.0.2.exe http://www.cypherpunks.ca/otr/binaries/windows/gaim-otr-2.0.2.exe.asc After some quick tests with AIM and ICQ it looks to -me- that the OTR plugin 2.0.2 that worked fine on Gaim 1.2.0 and 1.2.1 also works fine with Gaim 1.3.0. Aldert. From paul@cypherpunks.ca Thu May 12 23:45:37 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Fri, 13 May 2005 00:45:37 +0200 (CEST) Subject: [OTR-users] Works fine : Gaim 1.3.0 and OTR plugin for gaim 2.0.2 In-Reply-To: <4283AAB4.6020806@rotz.org> References: <20050511181834.GX1071@smtp.paip.net> <4283AAB4.6020806@rotz.org> Message-ID: On Thu, 12 May 2005, Aldert J.B.P. Hazenberg wrote: > After some quick tests with AIM and ICQ it looks to -me- that the OTR > plugin 2.0.2 that worked fine on Gaim 1.2.0 and 1.2.1 also works fine > with Gaim 1.3.0. Same here. Fedora pushed me the 1.30 gaim yesterday and it worked fine with the current libotr/gaim-otr. Paul From smu johnson Fri May 13 06:18:49 2005 From: smu johnson (smu johnson) Date: Thu, 12 May 2005 22:18:49 -0700 Subject: [OTR-users] Problem compiling in Ubuntu Linux Message-ID: <674e4ddd050512221834dc052a@mail.gmail.com> Hey all, checking for glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0... Requested 'glib-2.0 >= 2.4' but version of GLib is 2.0.0 configure: error: glib ./configure: line 19506: exit: gtk: numeric argument required ./configure: line 19506: exit: gtk: numeric argument required This is the problem when compiling the Gaim plugin.... unbelievable! I installed 2.0.4, 2.0.7, and now 2.0.0 and STILL get this error. Ubuntu has the libglib's already installed and they are 2.0. I don't know what the problem is! Thanks! From ian@cypherpunks.ca Fri May 13 14:18:02 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 13 May 2005 09:18:02 -0400 Subject: [OTR-users] Problem compiling in Ubuntu Linux In-Reply-To: <674e4ddd050512221834dc052a@mail.gmail.com> References: <674e4ddd050512221834dc052a@mail.gmail.com> Message-ID: <20050513131802.GQ1071@smtp.paip.net> On Thu, May 12, 2005 at 10:18:49PM -0700, smu johnson wrote: > Hey all, > > checking for glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0... Requested > 'glib-2.0 >= 2.4' but version of GLib is 2.0.0 > configure: error: glib > ./configure: line 19506: exit: gtk: numeric argument required > ./configure: line 19506: exit: gtk: numeric argument required > > This is the problem when compiling the Gaim plugin.... unbelievable! > I installed 2.0.4, 2.0.7, and now 2.0.0 and STILL get this error. > > Ubuntu has the libglib's already installed and they are 2.0. I don't > know what the problem is! You need at least version 2.4.0 of glib and gtk. Ubuntu Hoary has 2.6.3 in it (http://packages.ubuntu.com/hoary/libs/libglib2.0-0) so that should be fine. Warty's got 2.4.x in it, which is also fine. Where are you finding the 2.0.x versions? The command: $ pkg-config --modversion glib-2.0 will show you what version you've got installed. - Ian From jcohen07@brandeis.edu Sat May 14 21:03:07 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sat, 14 May 2005 16:03:07 -0400 Subject: [OTR-users] gaim-otr in debian unstable Message-ID: <4286597B.3000203@brandeis.edu> Debian unstable still has gaim-otr 2.0.1. Is there any plan to include 2.0.2 in unstable (sid)? It would be quite nice considering that debian also includes gaim-encryption and the two plugins conflict when used together in 2.0.1 but not in 2.0.2. Thanks. Jason From ian@cypherpunks.ca Mon May 16 21:41:30 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Mon, 16 May 2005 16:41:30 -0400 Subject: [OTR-users] Notice to users of iChat on OSX Tiger Message-ID: <20050516204130.GG1071@smtp.paip.net> It has come to our attention that the Tiger version of iChat continues to have the bug that existed in Panther (#3930228) which prevents it from connecting to a localhost SOCKS or HTTPS proxy. In addition, there is a new bug in Tiger (#4120243) which prevents iChat from using an HTTP proxy at all [http://discussions.info.apple.com/webx?13@367.qsNaabcKVYH.632707@.68adb401/0]. As a result, the Tiger version of iChat is completely unable to use a localhost proxy, and so will no longer work with otrproxy. This is very unfortunate, and the only workaround at the moment is to stick to Panther, or to use a different IM client. If you choose the latter, note that Adium X [http://www.adiumx.com/] now supports OTR natively; there is no need to use otrproxy with it. Feh. :-( - Ian From gorilla@i2pmail.org Tue May 17 13:45:12 2005 From: gorilla@i2pmail.org (gorilla) Date: Tue, 17 May 2005 12:45:12 +0000 (UCT) Subject: [OTR-users] IRC Message-ID: <20050517124512.A40374259@a.mx.i2pmail.org> Hi I can't find any reference to which protocols the gaim OTR plugin handles - does it do all of them? I can't get OTR to work with IRC. When I click the 'OTR:not private' button, I get an OTR Error popup window saying "We received a malformed Key Exchange message from BlahBlah". The other client gets this text coming up in the chat window: *blah:* test2@irc.freenode.net has requested an Off-the-Record private conversation. However, you do not have a plugin to support that. *blah:* See http://www.cypherpunks.ca/otr/ for more information. This is Gaim 1.3.0 on Linux with OTR 2.0.2. I get the same thing trying to talk to Gaim and OTR running on windows. Any hints to get this working would be much appreciated, Gorilla. From ian@cypherpunks.ca Tue May 17 14:25:29 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Tue, 17 May 2005 09:25:29 -0400 Subject: [OTR-users] IRC In-Reply-To: <20050517124512.A40374259@a.mx.i2pmail.org> References: <20050517124512.A40374259@a.mx.i2pmail.org> Message-ID: <20050517132529.GM1071@smtp.paip.net> On Tue, May 17, 2005 at 12:45:12PM +0000, gorilla wrote: > Hi > > I can't find any reference to which protocols the gaim OTR plugin > handles - does it do all of them? > > I can't get OTR to work with IRC. When I click the 'OTR:not private' > button, I get an OTR Error popup window saying "We received a malformed > Key Exchange message from BlahBlah". The other client gets this text > coming up in the chat window: Indeed, it turns out IRC's maximum message size is too small for an OTR Key Exchange Message to fit. :-( Long-term, we'll need some manner of automated MMS-detection + fragmentation. What protocols does OTR work on? I'm pretty sure it's been tested on at least: - AIM - ICQ - Yahoo - MSN - Jabber - Sametime I think IRC's the only one it's been observed not to work on. If anyone out there has tested OTR on another protocol, post a note to let us know! We should certainly add this info to the web page. Thanks, - Ian From lists@lohengrin.net Tue May 17 15:49:39 2005 From: lists@lohengrin.net (lists@lohengrin.net) Date: Tue, 17 May 2005 09:49:39 -0500 Subject: [OTR-users] Trillian + otrproxy screenshots? In-Reply-To: <20050505231258.GC1071@smtp.paip.net>; from ian@cypherpunks.ca on Thu, May 05, 2005 at 07:12:58PM -0400 References: <20050505231258.GC1071@smtp.paip.net> Message-ID: <20050517094939.A2435@alliance.rogue-squad.com> * ian@cypherpunks.ca [2005.05.05 18:18]: > Can any of you Trillian + otrproxy users send some instructions (and > maybe screenshots?) on how to install / configure it? The trickiest bit > seems to be how to configure the per-protocol proxy settings in Trillian. Ian, Did you get any replies to this offlist? I didn't see any on the list and I'm interested as well. Cheers, Sean -- The Roman Rule: The one who says it cannot be done should never interrupt the one who is doing it. From ian@cypherpunks.ca Tue May 17 16:06:35 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Tue, 17 May 2005 11:06:35 -0400 Subject: [OTR-users] Trillian + otrproxy screenshots? In-Reply-To: <20050517094939.A2435@alliance.rogue-squad.com> References: <20050505231258.GC1071@smtp.paip.net> <20050517094939.A2435@alliance.rogue-squad.com> Message-ID: <20050517150635.GN1071@smtp.paip.net> On Tue, May 17, 2005 at 09:49:39AM -0500, lists@lohengrin.net wrote: > * ian@cypherpunks.ca [2005.05.05 18:18]: > > Can any of you Trillian + otrproxy users send some instructions (and > > maybe screenshots?) on how to install / configure it? The trickiest bit > > seems to be how to configure the per-protocol proxy settings in Trillian. > > Ian, > > Did you get any replies to this offlist? I didn't see any on the list > and I'm interested as well. Aldert's doing some. He sent me some raw screenshots, which he says he'll touch up and annotate. - Ian From aldert@rotz.org Tue May 17 23:09:42 2005 From: aldert@rotz.org (Aldert J.B.P. Hazenberg) Date: Wed, 18 May 2005 00:09:42 +0200 Subject: [OTR-users] Trillian + otrproxy screenshots? In-Reply-To: <20050517150635.GN1071@smtp.paip.net> References: <20050505231258.GC1071@smtp.paip.net> <20050517094939.A2435@alliance.rogue-squad.com> <20050517150635.GN1071@smtp.paip.net> Message-ID: <428A6BA6.4080103@rotz.org> Ian Goldberg wrote: > On Tue, May 17, 2005 at 09:49:39AM -0500, lists@lohengrin.net wrote: > >>* ian@cypherpunks.ca [2005.05.05 18:18]: >> >>>Can any of you Trillian + otrproxy users send some instructions (and >>>maybe screenshots?) on how to install / configure it? The trickiest bit >>>seems to be how to configure the per-protocol proxy settings in Trillian. >> >>Ian, >> >>Did you get any replies to this offlist? I didn't see any on the list >>and I'm interested as well. > > > Aldert's doing some. He sent me some raw screenshots, which he says > he'll touch up and annotate. > Gimme till tomorrow this time, I just got myself also Trillian Pro so I can compare if the 'free' version differs that much with the screenshots I have now. I plan to make a 'crude' webpage with nice screenshots, red arrows on them and some tekst around them. If you think you like to see a certain OTR action in (more) detail let me know (now or tomorrow) and I will include/add those. Aldert. From ian@cypherpunks.ca Thu May 19 20:55:58 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 19 May 2005 15:55:58 -0400 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? Message-ID: <20050519195558.GT1071@smtp.paip.net> The largest usability issue with OTR right now seems to me to be what happens when you try to talk to someone for the first time. Each side having to actively accept the other's fingerprint leads to all sorts of weird behaviours when one side accepts, and then starts typing before the other side accepts. [Len's bug #1198389 is related to this, as well.] There's also been call for removing the "Private connection established" dialog completely. So what would people think about this: - When you receive a new fingerprint, you're notified of this fact (with a dialog box), but it's automatically accepted right away. [Noting that approximately everyone just clicks "OK" anyway, this doesn't change the usual behaviour.] - If you *don't* want to accept the fingerprint, you'd have to delete it from your "known fingerprints" list. Like today, I don't intend for there to be a "known bad fingerprints" list. [Another option would be for the above dialog to continue to have "accept / not accept" buttons, and clicking the latter would cause the fingerprint to be deleted from the known fingerprints list (it would have been added the moment the dialog popped up).] - The "private connection established" dialog goes away (or is made optional), but the fingerprint and secure session id that are in there now must still be accessible somehow (clicking the "OTR: Private" button, maybe?). So, comments? Thanks, - Ian From bsittler@gmail.com Thu May 19 22:04:38 2005 From: bsittler@gmail.com (Benjamin C. Wiley Sittler) Date: Thu, 19 May 2005 14:04:38 -0700 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <20050519195558.GT1071@smtp.paip.net> References: <20050519195558.GT1071@smtp.paip.net> Message-ID: <428cff66.O0q4PDzAR1QmUpVA%bsittler@gmail.com> Ian Goldberg wrote: > The largest usability issue with OTR right now seems to me to be what > happens when you try to talk to someone for the first time. Each side > having to actively accept the other's fingerprint leads to all sorts of > weird behaviours when one side accepts, and then starts typing before > the other side accepts. [Len's bug #1198389 is related to this, as > well.] There's also been call for removing the "Private connection > established" dialog completely. > > So what would people think about this: > > - When you receive a new fingerprint, you're notified of this fact (with > a dialog box), but it's automatically accepted right away. [Noting > that approximately everyone just clicks "OK" anyway, this doesn't > change the usual behaviour.] > > - If you *don't* want to accept the fingerprint, you'd have to delete it > from your "known fingerprints" list. Like today, I don't intend for > there to be a "known bad fingerprints" list. [Another option would be > for the above dialog to continue to have "accept / not accept" > buttons, and clicking the latter would cause the fingerprint to be > deleted from the known fingerprints list (it would have been added the > moment the dialog popped up).] > > - The "private connection established" dialog goes away (or is made > optional), but the fingerprint and secure session id that are in there > now must still be accessible somehow (clicking the "OTR: Private" > button, maybe?). > > So, comments? > > Thanks, > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users@lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users Great! Will this mean I can once again use otrproxy with an ncurses aim client over ssh, without needing to worry about bringing up VNC to accept a conversation every time one of my buddies with OTR tries to chat? If so, I'm all for it... seems much easier than the wxcurses path I was on previously... -Be n From me@nikita.ca Thu May 19 22:25:27 2005 From: me@nikita.ca (Nikita Borisov) Date: Thu, 19 May 2005 14:25:27 -0700 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <20050519195558.GT1071@smtp.paip.net> References: <20050519195558.GT1071@smtp.paip.net> Message-ID: <16f0378d0505191425e584b24@mail.gmail.com> ------=_Part_1037_27573990.1116537927580 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On 5/19/05, Ian Goldberg wrote: >=20 > - The "private connection established" dialog goes away (or is made > optional), but the fingerprint and secure session id that are in there > now must still be accessible somehow (clicking the "OTR: Private" > button, maybe?). I think we should make the dialog go away, or at least replace it with some= =20 sort of inline display. I really like the way Adium handles that: it=20 displays a message "Encrypted OTR chat initiated" inside the conversation= =20 window. Is there any hope of doing something like that under Gaim? It makes= =20 OTR so much nicer to use. - Nikita ------=_Part_1037_27573990.1116537927580 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On 5/19/05, Ian Goldberg <ian@cypherpunks.ca> wrote:
- The "private connection established" dialog goes away (or is ma= de
  optional), but the fingerprint and secure session id that= are in there
  now must still be accessible somehow (clicking= the "OTR: Private"
  button, maybe?).

I think we should make the dialog go away, or at least replace it with some sort of inline display.  I really like the way Adium handles that: it displays a message "Encrypted OTR chat initiated" inside= the conversation window.  Is there any hope of doing something like that under Gaim?  It makes OTR so much nicer to use.

- Nikita

------=_Part_1037_27573990.1116537927580-- From rgould@nosc.mil Fri May 20 15:08:47 2005 From: rgould@nosc.mil (Ryan B. Gould) Date: Fri, 20 May 2005 07:08:47 -0700 Subject: [OTR-users] Re: OTR-users digest, Vol 1 #63 - 3 msgs In-Reply-To: <20050520103135.5988.46123.Mailman@brandeis.paip.net> References: <20050520103135.5988.46123.Mailman@brandeis.paip.net> Message-ID: <291EDE46-82E2-45A2-972B-B1059F169487@nosc.mil> i like the third option (to be able to hide all that stuff. as far as i am concerned security should be made transparent. it should be made easy. trying to explain the concepts of keys (fingerprints) to my sixty-year-old father is a conversation i do not wish to have again. so, yes, an auto-accept checkbox would be fantastic. at the same time, as nikita said, the simple in-conversation message telling you that you are secure is also very nice. i cant tell you how much i appreciate this OTR stuff. it makes the world a better place. thanks ian, and co.. > So what would people think about this: > > - When you receive a new fingerprint, you're notified of this fact > (with > a dialog box), but it's automatically accepted right away. [Noting > that approximately everyone just clicks "OK" anyway, this doesn't > change the usual behaviour.] > > - If you *don't* want to accept the fingerprint, you'd have to > delete it > from your "known fingerprints" list. Like today, I don't intend for > there to be a "known bad fingerprints" list. [Another option > would be > for the above dialog to continue to have "accept / not accept" > buttons, and clicking the latter would cause the fingerprint to be > deleted from the known fingerprints list (it would have been > added the > moment the dialog popped up).] > > - The "private connection established" dialog goes away (or is made > optional), but the fingerprint and secure session id that are in > there > now must still be accessible somehow (clicking the "OTR: Private" > button, maybe?). > From jcohen07@brandeis.edu Fri May 20 15:51:26 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Fri, 20 May 2005 10:51:26 -0400 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? Message-ID: <428DF96E.4080605@brandeis.edu> I like the idea of having the "private connection established" dialog box as an in-conversation message with the abiliity to get the session id and fingerprint by clicking the OTR Private button. However, I think there should still be an option to keep the old system in place with regard to accepting new fingerprints. The system is only secure if the fingerprint is authenticated out of bounds. Otherwise, you don't know who you're talking to. I understand that some users might not want to do this so they should have the option of auto-accepting new keys. I still think a dialog box should come up asking if you want to accept the fingerprint so that you can override the automatic choice without needing to access the known fingerprint list. I also like getting the "private connection established" dialog box as it clearly informs methat a private conversation has been started even if gaim is minimized. Could we have the option of keeping the "private connection established" dialog box, while setting the default as an in-conversation message? Also, I was wondering if gaim-otr 2.0.2 is going to be released on debian sid. libotr 2.0.2 is already in sid but the newest version of gaim-otr is 2.0.1 which conflicts with gaim-encryption. Jason Cohen From ian@cypherpunks.ca Fri May 20 16:38:19 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 20 May 2005 11:38:19 -0400 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <16f0378d0505191425e584b24@mail.gmail.com> References: <20050519195558.GT1071@smtp.paip.net> <16f0378d0505191425e584b24@mail.gmail.com> Message-ID: <20050520153819.GZ1071@smtp.paip.net> On Thu, May 19, 2005 at 02:25:27PM -0700, Nikita Borisov wrote: > On 5/19/05, Ian Goldberg wrote: > > > > - The "private connection established" dialog goes away (or is made > > optional), but the fingerprint and secure session id that are in there > > now must still be accessible somehow (clicking the "OTR: Private" > > button, maybe?). > > > I think we should make the dialog go away, or at least replace it with some > sort of inline display. I really like the way Adium handles that: it > displays a message "Encrypted OTR chat initiated" inside the conversation > window. Is there any hope of doing something like that under Gaim? It makes > OTR so much nicer to use. Certainly the "Private connection established" message can appear inline, but there still needs to be a way to bring up the fingerprint / session id. [Since I believe in gaim, if there's no conversation window open for a given buddy, messages directed to that window are simply discarded. That's OK for "Private connection established", but not for the session id, etc.] I'm thinking that clicking "OTR: Private" while a private conversation is active will pop up a window with that info in it, and also a button to refresh the private conversation (the current behaviour of clicking "OTR: Private"). Clicking "OTR: Not private" when there's no private conversation will continue to initiate one. - Ian From ian@cypherpunks.ca Fri May 20 16:48:53 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 20 May 2005 11:48:53 -0400 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <428cff66.O0q4PDzAR1QmUpVA%bsittler@gmail.com> References: <20050519195558.GT1071@smtp.paip.net> <428cff66.O0q4PDzAR1QmUpVA%bsittler@gmail.com> Message-ID: <20050520154853.GA1071@smtp.paip.net> On Thu, May 19, 2005 at 02:04:38PM -0700, Benjamin C. Wiley Sittler wrote: > Great! Will this mean I can once again use otrproxy with an ncurses aim > client over ssh, without needing to worry about bringing up VNC to accept > a conversation every time one of my buddies with OTR tries to chat? > > If so, I'm all for it... seems much easier than the wxcurses path I was on > previously... Sort of: it *would* still pop up windows letting you know things, but the default action of "don't click on anything" would cause the conversation to proceed (though the windows would pile up). We looked at wxcurses, but it seems it's not compatible with any recent version of wxWidgets. It looks likt the two ways to go (long term) for people using non-graphical IM clients are: 1. Make a non-graphical (probably curses) UI for otrproxy. The otrproxy code is already divided between the "proxy" part and the "UI" part; wxui/ is a separate directory. This was _exactly_ so that eventually a curses ui could be written. In this case, all of the otrproxy output would go to a separate window, but screen(1) can take care of that. This has the benefit of simultaneously supporting all non-graphical AIM clients that support proxies. 2. Make your IM client support OTR natively. This has the benefit of giving you OTR support for any IM protocol supported by your client, and not just AIM/ICQ. The OTR UI information can also be more seamlessly integrated into your existing client's UI. - Ian From Gregory Maxwell Fri May 20 16:57:33 2005 From: Gregory Maxwell (Gregory Maxwell) Date: Fri, 20 May 2005 11:57:33 -0400 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <20050520153819.GZ1071@smtp.paip.net> References: <20050519195558.GT1071@smtp.paip.net> <16f0378d0505191425e584b24@mail.gmail.com> <20050520153819.GZ1071@smtp.paip.net> Message-ID: On 5/20/05, Ian Goldberg wrote: > Certainly the "Private connection established" message can appear > inline, but there still needs to be a way to bring up the fingerprint / > session id. [Since I believe in gaim, if there's no conversation window > open for a given buddy, messages directed to that window are simply > discarded. That's OK for "Private connection established", but not for > the session id, etc.] > > I'm thinking that clicking "OTR: Private" while a private conversation > is active will pop up a window with that info in it, and also a button > to refresh the private conversation (the current behaviour of clicking > "OTR: Private"). Clicking "OTR: Not private" when there's no private > conversation will continue to initiate one. That would be fine, but I'd think I'd like to be able to set per user 'no new fingerprints' ... If it's automagic I really don't trust myself to notice a fingerprint change, and I have contacts whom I know will not be changing finger prints. In the case of 'no new fingerprints' the otr establishment should just be rejected until I go toggle that option. While we're doing that we can put a button inside that popup to disable OTR. It would also be useful to have a /otr disable or something that you can just type into the chat window. Ditto for toggling 'no new fingerprints', I suppose. The reason I request this is because I have some contacts who use OTR most of the time.. but sometimes they login from some place without OTR and my client still thinks they are running OTR. I say something to them, they get OTR goop, and they contiune screaming at me that they have no OTR while I'm frantically navigating through preferences trying to end the private session to keep them from being spammed with OTR messages. :) From ian@cypherpunks.ca Fri May 20 16:58:09 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 20 May 2005 11:58:09 -0400 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <428DF96E.4080605@brandeis.edu> References: <428DF96E.4080605@brandeis.edu> Message-ID: <20050520155809.GB1071@smtp.paip.net> On Fri, May 20, 2005 at 10:51:26AM -0400, Jason Cohen wrote: > I like the idea of having the "private connection established" dialog > box as an in-conversation message with the abiliity to get the session > id and fingerprint by clicking the OTR Private button. However, I think > there should still be an option to keep the old system in place with > regard to accepting new fingerprints. The system is only secure if the > fingerprint is authenticated out of bounds. Otherwise, you don't know > who you're talking to. I understand that some users might not want to do > this so they should have the option of auto-accepting new keys. I still > think a dialog box should come up asking if you want to accept the > fingerprint so that you can override the automatic choice without > needing to access the known fingerprint list. Right. So there would be something like a "Require explicit confirmation of new fingerprints" option, default off. If it's off: - When a new fingerprint comes in, it's auto-accepted, so that the conversation can proceed. - A dialog box showing the new fingerprint is displayed, with "Yes" and "No" buttons. - The "Yes" button simply dismisses the dialog box. - The "No" button ends the private connection, forgets the fingerprint, and dismisses the dialog box. If it's on (the current behaviour): - When a new fingerprint comes in, it's not auto-accepted. Messages that come in at this point will generate errors. - A dialog box showing the new fingerprint is displayed, with "Yes" and "No" buttons. - The "Yes" button accepts the fingerprint, and dismisses the dialog box. - The "No" button simply dismisses the dialog box. > I also like getting the "private connection established" dialog box as > it clearly informs methat a private conversation has been started even > if gaim is minimized. Could we have the option of keeping the "private > connection established" dialog box, while setting the default as an > in-conversation message? A "Display 'private connection established' dialogs" checkbox, default off. If it's off, you get the behaviour I decribed in the other message. If it's on, you get the current behaviour (but clicking the "OTR: Private" button would still bring up the window, and you'd have to click a button on *that* window to refresh the private connection; this seems ugly, though; if someone's got a better UI suggestion for how to (a) bring up the session id information, or (b) refresh a private connection, please speak up!). > Also, I was wondering if gaim-otr 2.0.2 is going to be released on > debian sid. libotr 2.0.2 is already in sid but the newest version of > gaim-otr is 2.0.1 which conflicts with gaim-encryption. You'll have to ask Thibaut, the debian maintainter, about that. - Ian From rgould@nosc.mil Fri May 20 21:17:32 2005 From: rgould@nosc.mil (Ryan B. Gould) Date: Fri, 20 May 2005 13:17:32 -0700 Subject: [OTR-users] Re: OTR-users digest, Vol 1 #63 - 3 msgs In-Reply-To: <20050520103135.5988.46123.Mailman@brandeis.paip.net> References: <20050520103135.5988.46123.Mailman@brandeis.paip.net> Message-ID: <428E45DC.3090304@nosc.mil> a good example of why it would be best/great to auto-accept keys is when you are oh two different machines chatting with the same person. an example: you are at home and you have an OTR chat going with someone. then you quit the chat. the person you are chatting with either closes the window or leaves it open (it doesnt matter which). then you go to work and login there. the person you were chatting with still thinks that you are using the old key (fingerprint). then both your attempts to chat with each other barfs with all sorts of malformed packet errors and you are forced to re-establish a connection. if the person that you are chatting with happens to be using windows gaim with the OTR pugin, and they are away from their machine.. they can come back to quite a few error messages. > So what would people think about this: > > - When you receive a new fingerprint, you're notified of this fact > (with > a dialog box), but it's automatically accepted right away. [Noting > that approximately everyone just clicks "OK" anyway, this doesn't > change the usual behaviour.] > > - If you *don't* want to accept the fingerprint, you'd have to > delete it > from your "known fingerprints" list. Like today, I don't intend for > there to be a "known bad fingerprints" list. [Another option > would be > for the above dialog to continue to have "accept / not accept" > buttons, and clicking the latter would cause the fingerprint to be > deleted from the known fingerprints list (it would have been > added the > moment the dialog popped up).] > > - The "private connection established" dialog goes away (or is made > optional), but the fingerprint and secure session id that are in > there > now must still be accessible somehow (clicking the "OTR: Private" > button, maybe?). > From alaricd@pengdows.com Fri May 20 21:37:42 2005 From: alaricd@pengdows.com (Alaric Dailey) Date: Fri, 20 May 2005 15:37:42 -0500 Subject: [OTR-users] =?us-ascii?B?UkU6IFtPVFItdXNlcnNdIFJlOiBPVFItdXNlcnMgZGlnZXN0LCBWb2wgMSAjNjMgLSAzIG1zZ3M=?= Message-ID: I like the way Simp (www.secway.fr) handles it, giving you a key manager so you can take your fingerprint/keyrings with you from machine to machine. having a keyring highlights new and untrusted keys so you are aware of changes My modification of the their way to do it, (borrowing from other emails I have seen) would be to give a status in the window letting you know that while you are encrypted its a "new or untrusted" key. so if you don't trust yourself to look at new or changed autoaccepted keys you will still know, or if you don't care, you can ignore it. If there is such a "keyring" feature currently in OTR I haven't found it. Forgive me if I don't know all the features of OTR, I have only started using it. Original Message ----------------------- a good example of why it would be best/great to auto-accept keys is when you are oh two different machines chatting with the same person. an example: you are at home and you have an OTR chat going with someone. then you quit the chat. the person you are chatting with either closes the window or leaves it open (it doesnt matter which). then you go to work and login there. the person you were chatting with still thinks that you are using the old key (fingerprint). then both your attempts to chat with each other barfs with all sorts of malformed packet errors and you are forced to re-establish a connection. if the person that you are chatting with happens to be using windows gaim with the OTR pugin, and they are away from their machine.. they can come back to quite a few error messages. > So what would people think about this: > > - When you receive a new fingerprint, you're notified of this fact > (with > a dialog box), but it's automatically accepted right away. [Noting > that approximately everyone just clicks "OK" anyway, this doesn't > change the usual behaviour.] > > - If you *don't* want to accept the fingerprint, you'd have to > delete it > from your "known fingerprints" list. Like today, I don't intend for > there to be a "known bad fingerprints" list. [Another option > would be > for the above dialog to continue to have "accept / not accept" > buttons, and clicking the latter would cause the fingerprint to be > deleted from the known fingerprints list (it would have been > added the > moment the dialog popped up).] > > - The "private connection established" dialog goes away (or is made > optional), but the fingerprint and secure session id that are in > there > now must still be accessible somehow (clicking the "OTR: Private" > button, maybe?). > _______________________________________________ OTR-users mailing list OTR-users@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-users From paul@cypherpunks.ca Sat May 21 23:26:07 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Sun, 22 May 2005 00:26:07 +0200 (CEST) Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <20050519195558.GT1071@smtp.paip.net> References: <20050519195558.GT1071@smtp.paip.net> Message-ID: On Thu, 19 May 2005, Ian Goldberg wrote: > The largest usability issue with OTR right now seems to me to be what > happens when you try to talk to someone for the first time. Each side > having to actively accept the other's fingerprint leads to all sorts of > weird behaviours when one side accepts, and then starts typing before > the other side accepts. How about having three states of OTR: red: Insecure communication yellow: Using OTR, but not manually configured the fingerprint green: Using OTR, confirmed fingerprint. The OTR button could then change from green to yellow automatically, without nasty windows, and the button can provide a way to go from yellow to green, using similar popups that are in use today. A configuration option could be added which disallows the yellow state, causing the current (paranoid) kind of setup. This option could be called "Allow leap-of-faith OTR communication". Some help button/option should be available to more elaborately explain the differences and the risks to the users. The second issue is when a user now changes key. Should we still allow the leap of faith, ir should this always pop up a warning? I think if you get multiple keys for a single identity, we should always do some warning. Another aspect of this kind of setup could be to allow importing of fingerprints through external methods. This could be http, ldap or dns. For example, one could put a fingerprint in a TXT or OTRKEY dns record, which would hopefully be signed by someone you trust somewhere in the hierarchy. Paul From paul@cypherpunks.ca Sat May 21 23:30:20 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Sun, 22 May 2005 00:30:20 +0200 (CEST) Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <20050520155809.GB1071@smtp.paip.net> References: <428DF96E.4080605@brandeis.edu> <20050520155809.GB1071@smtp.paip.net> Message-ID: On Fri, 20 May 2005, Ian Goldberg wrote: > Right. So there would be something like a "Require explicit > confirmation of new fingerprints" option, default off. > > If it's off: > - When a new fingerprint comes in, it's auto-accepted, so that the > conversation can proceed. > - A dialog box showing the new fingerprint is displayed, with "Yes" > and "No" buttons. > - The "Yes" button simply dismisses the dialog box. > - The "No" button ends the private connection, forgets the > fingerprint, and dismisses the dialog box. > > If it's on (the current behaviour): > - When a new fingerprint comes in, it's not auto-accepted. Messages > that come in at this point will generate errors. > - A dialog box showing the new fingerprint is displayed, with "Yes" > and "No" buttons. > - The "Yes" button accepts the fingerprint, and dismisses the > dialog box. > - The "No" button simply dismisses the dialog box. Couldn't the OTR client who gets the unknown fingerprint send back a "hold further messages until I send an OK" message? Then the sending client could, when the user types in another message, either tell the user the message will be queued or just tell it it is not allowed to send more messages until the fingerprint is accepted? I think queueing on the sending client is safer then transmitting in unconfirmed fingerprint fashion to begin with? Paul From vittoso@email.it Wed May 25 19:12:37 2005 From: vittoso@email.it (Vittorio Sozzi) Date: Wed, 25 May 2005 20:12:37 +0200 Subject: [OTR-users] 2.0.2 for FC3 Message-ID: <4294C015.9010409@email.it> Dear OTR experts, would it be possibile to have, in the download section, an RPM for Fedora Core 3 of the 2.0.2 version of the OTR plugin for gaim? I tried to build the RPM from source but I didn't not succeeded (probably a library failure). Thanks for your time! Cordially. From paul@cypherpunks.ca Wed May 25 23:11:28 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Thu, 26 May 2005 00:11:28 +0200 (CEST) Subject: [OTR-users] 2.0.2 for FC3 In-Reply-To: <4294C015.9010409@email.it> References: <4294C015.9010409@email.it> Message-ID: On Wed, 25 May 2005, Vittorio Sozzi wrote: > Dear OTR experts, > would it be possibile to have, in the download section, an RPM for > Fedora Core 3 of the 2.0.2 version of the OTR plugin for gaim? I tried > to build the RPM from source but I didn't not succeeded (probably a > library failure). We had the same problems too. Perhaps I can spend some more time over the weekend and get an rpm going. Paul From alex323@gmail.com Thu May 26 18:17:54 2005 From: alex323@gmail.com (alex323) Date: Thu, 26 May 2005 13:17:54 -0400 Subject: [OTR-users] OTR chatroom? Message-ID: <429604C2.6070605@gmail.com> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC61BFEA4F4AE337B4E43C50B Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit You think there should be an IRC room for OTR? I think it would be great. - Alex --------------enigC61BFEA4F4AE337B4E43C50B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iQIVAwUBQpYEyoNsvbPFJtOPAQP/Kw//TiLXS6vpwHmoaO35qlJF9ys8arVIQ+aD ccZ5SwmU8xj9rrpnU9rbi0xwLwdiovhtkOC9cvKFURa5AecYDd94VbQ1Tk64xDq4 wSLuCHw2Jo+PPjwlA4h7chDes8osDgKY5L8MzLIS2Z0m38WmBxLYbflifDUDhvxS v1QqK8SsqQfcpYxnW8QurpP6FATAY8aJyD39TWh81JlwKaLCUjTncbBKahjyFWXJ fC754zHfLTpiiy6FephthVdr7rzUMY/HW9EkqH/vOSt68WJkpVOPgLk+JmrzJNxY I126pSJEMziM19wWzX02XhgWgxBWYPPhmX2vHfATiqQlkNhSQzmVgpBGVytk+kPO v03vgMRW0qxhTAHEAOOjRIJVl6wY5dhIh20hYuZoB57wcHR+2C2KmVq4fiSiKDE/ jOWZi5ljmUuKQ9vHONGujCjQ46IkgEaHFcyPTKdNqTm9Eh+kbIQUTjyCqIqnEXb4 V6o22Vyqqb4VoN37RG/kEWxYWNtDDQDngqHNlL/ZD0pJp1MzET4Qt9n22Utky4Dn 5hnJLdWQbQ/0YI1oW+QRessa2QoR0bqzv2J79kHx3dlD9piSqqy3/yPHoMF0JWPo s1ZplXPIGgCz4fAg0FF+YYkK0gn+tzSFtjsreVPXNfLA8qCiLq0pRks/Sdm3wyub 5rczd6MQYYc= =8hbT -----END PGP SIGNATURE----- --------------enigC61BFEA4F4AE337B4E43C50B-- From gdt@ir.bbn.com Tue May 31 13:58:57 2005 From: gdt@ir.bbn.com (Greg Troxel) Date: 31 May 2005 08:58:57 -0400 Subject: [OTR-users] Opinions on proposed "unknown fingerprint" behaviour? In-Reply-To: <20050520155809.GB1071@smtp.paip.net> References: <428DF96E.4080605@brandeis.edu> <20050520155809.GB1071@smtp.paip.net> Message-ID: I like your behaviors for fingerprints, except I'd use "Accept" and "Discard". Obviously getting a new fingerprint for a name that already has a fingerprint always generates a box, and doesn't do any auto-accept, but I had to say it. [while we are talking UI] I don't use the refresh button often, so having the OTR button pop up a more complicated dialog box would be fine. When I do use it, it's because I suspect the other person has restarted their client, or changed computers. So, I'd like to see idle timer on keys, causing them to be marked stale, perhaps 30 minutes default when sending with a stale key, send a ping message, recognizable as such to the counterparty even if not keyed, to trigger key exchange, and then send the message. Right now this is my biggest usability issue. New correspondents are very rare compared to current ones switching among their multiple computers. Also, gaim/otr doesn't cope well with being logged in on multiple computers at once. I need to test and write up a real bug report... -- Greg Troxel From gdt@ir.bbn.com Tue May 31 14:00:32 2005 From: gdt@ir.bbn.com (Greg Troxel) Date: 31 May 2005 09:00:32 -0400 Subject: [OTR-users] Re: OTR-users digest, Vol 1 #63 - 3 msgs In-Reply-To: <428E45DC.3090304@nosc.mil> References: <20050520103135.5988.46123.Mailman@brandeis.paip.net> <428E45DC.3090304@nosc.mil> Message-ID: "Ryan B. Gould" writes: > a good example of why it would be best/great to auto-accept keys is > when you are oh two different machines chatting with the same > person. an example: you are at home and you have an OTR chat going > with someone. then you quit the chat. the person you are chatting > with either closes the window or leaves it open (it doesnt matter > which). then you go to work and login there. the person you were > chatting with still thinks that you are using the old key > (fingerprint). then both your attempts to chat with each other > barfs with all sorts of malformed packet errors and you are forced > to re-establish a connection. if the person that you are chatting > with happens to be using windows gaim with the OTR pugin, and they > are away from their machine.. they can come back to quite a few > error messages. I think the discussion is about fingerprints for public keys used to sign key exchange, not about session keys. I routinely do what you describe and don't have issues but do need to refresh the key exchange when one person switches computers. I've long ago accepted the 2-3 fingerprints for each of my correspondents' machines. -- Greg Troxel From rgould@nosc.mil Tue May 31 15:42:05 2005 From: rgould@nosc.mil (Ryan B. Gould) Date: Tue, 31 May 2005 07:42:05 -0700 Subject: [OTR-users] Re: OTR-users digest, Vol 1 #63 - 3 msgs In-Reply-To: References: <20050520103135.5988.46123.Mailman@brandeis.paip.net> <428E45DC.3090304@nosc.mil> Message-ID: <4FE8A8A9-6B61-4699-BBD0-2482ADE7FBF6@nosc.mil> On May 31, 2005, at 6:00 AM, Greg Troxel wrote: > "Ryan B. Gould" writes: > >> a good example of why it would be best/great to auto-accept keys is >> when you are oh two different machines chatting with the same >> person. an example: you are at home and you have an OTR chat going >> with someone. then you quit the chat. the person you are chatting >> with either closes the window or leaves it open (it doesnt matter >> which). then you go to work and login there. the person you were >> chatting with still thinks that you are using the old key >> (fingerprint). then both your attempts to chat with each other >> barfs with all sorts of malformed packet errors and you are forced >> to re-establish a connection. if the person that you are chatting >> with happens to be using windows gaim with the OTR pugin, and they >> are away from their machine.. they can come back to quite a few >> error messages. >> > > I think the discussion is about fingerprints for public keys used to > sign key exchange, not about session keys. I routinely do what you > describe and don't have issues but do need to refresh the key exchange > when one person switches computers. I've long ago accepted the 2-3 > fingerprints for each of my correspondents' machines. > -- > Greg Troxel okay, fair enough. my apologies to everyone for not having analyzed the situation thoroughly before piping up. perhaps it has something to do with the new (to me) "fingerprint" lingo. yes, the accepting of the keys should still be a manual yes/no process. OTR implementations on mac and windows do a great job at this. still, having the option of an auto-accept might be a nice not-default option. at the same time, i have experienced a situation on both mac and windows where public keys need to be re-accepted, even though they have been accepted previously. are the public keys set to expire? or is there something in the OTR implementation that rotates keys out after a certain amount of time? off topic/next topic: i think that the session keys are the ones that should be auto-accepted (or have the ability to choose that option). both the mac and the window implementations dont do a very good job at handling a situation where the session key(s) have have changed. perhaps something in the hand-shaking needs to be revised so the two clients dont puke all over each other. an auto-re-negotiation rather than an auto-acceptance? From aldert@rotz.org Tue May 31 17:26:48 2005 From: aldert@rotz.org (Aldert J.B.P. Hazenberg) Date: Tue, 31 May 2005 18:26:48 +0200 Subject: [OTR-users] Trillian + otrproxy screenshots In-Reply-To: <20050505231258.GC1071@smtp.paip.net> References: <20050505231258.GC1071@smtp.paip.net> Message-ID: <429C9048.5080602@rotz.org> Ian Goldberg wrote: > Can any of you Trillian + otrproxy users send some instructions (and > maybe screenshots?) on how to install / configure it? The trickiest bit > seems to be how to configure the per-protocol proxy settings in Trillian. > Hi Ian/People, http://rotz.org/archives/2005/05/otr_trillian.html Additions/corrections are very welcome !!! Aldert.