From CLAY@BROKENLADDER.COM Sat Nov 5 06:20:28 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Fri, 4 Nov 2005 22:20:28 -0800 Subject: [OTR-users] gaim-otr and otrproxy beta 2 In-Reply-To: <20051027193825.GN847@smtp.paip.net> References: <20051016211421.GT847@smtp.paip.net> <20051027172824.GI847@smtp.paip.net> <9129d8bb0510271106p7b214626v660f9eecb6c5dd5c@mail.gmail.com> <20051027182957.GK847@smtp.paip.net> <9129d8bb0510271151j31e6fea1jdfc8d8c3bb46c8e6@mail.gmail.com> <9129d8bb0510271155l3e5a200byc1b5c8c5ffa9e23b@mail.gmail.com> <20051027193825.GN847@smtp.paip.net> Message-ID: <9129d8bb0511042220i61ba2621j9683fe353df1cddd@mail.gmail.com> ------=_Part_38710_24075485.1131171628475 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline d2h5IGhhcyB0aGUgcGFnZSBub3QgYmVlbiB1cGRhdGVkIHdpdGggbGlua3MgdG8gdGhlIGJldGFz PyBpJ20gdHJ5aW5nIHRvCnNlbGwgY2FybmVnaWUtbWVsbG9uIG9uIG90ciBidXQgdGhlIHBhZ2Ug c3RpbGwgbWVudGlvbnMgdGhlIHNlY3VyaXR5IGZsYXcuCgpjbGF5Cg== ------=_Part_38710_24075485.1131171628475 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline d2h5IGhhcyB0aGUgcGFnZSBub3QgYmVlbiB1cGRhdGVkIHdpdGggbGlua3MgdG8gdGhlIGJldGFz PyZuYnNwOyBpJ20KdHJ5aW5nIHRvIHNlbGwgY2FybmVnaWUtbWVsbG9uIG9uIG90ciBidXQgdGhl IHBhZ2Ugc3RpbGwgbWVudGlvbnMgdGhlCnNlY3VyaXR5IGZsYXcuPGJyPgo8YnI+CmNsYXk8YnI+ Cg== ------=_Part_38710_24075485.1131171628475-- From ian@cypherpunks.ca Sun Nov 6 20:49:10 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Sun, 6 Nov 2005 15:49:10 -0500 Subject: [OTR-users] gaim-otr and otrproxy beta 2 In-Reply-To: <9129d8bb0511042220i61ba2621j9683fe353df1cddd@mail.gmail.com> References: <20051016211421.GT847@smtp.paip.net> <20051027172824.GI847@smtp.paip.net> <9129d8bb0510271106p7b214626v660f9eecb6c5dd5c@mail.gmail.com> <20051027182957.GK847@smtp.paip.net> <9129d8bb0510271151j31e6fea1jdfc8d8c3bb46c8e6@mail.gmail.com> <9129d8bb0510271155l3e5a200byc1b5c8c5ffa9e23b@mail.gmail.com> <20051027193825.GN847@smtp.paip.net> <9129d8bb0511042220i61ba2621j9683fe353df1cddd@mail.gmail.com> Message-ID: <20051106204910.GC847@smtp.paip.net> On Fri, Nov 04, 2005 at 10:20:28PM -0800, CLAY SHENTRUP wrote: > why has the page not been updated with links to the betas? The betas weren't meant for random people to download; just this list. We were waiting to update the web page until the official release, which happened yesterday. > i'm trying to > sell carnegie-mellon on otr but the page still mentions the security flaw. Funny coincidence; I was just there a couple of weeks ago, giving a talk on OTR to the CyLab / ISRI Seminar Series. - Ian From CLAY@BROKENLADDER.COM Mon Nov 7 17:57:49 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Mon, 7 Nov 2005 09:57:49 -0800 Subject: [OTR-users] installing for windows.. Message-ID: <9129d8bb0511070957o349aed8bkbdd802a8a4fa94d5@mail.gmail.com> ------=_Part_59541_27583776.1131386269396 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline dGhlIG90ciBpbnN0YWxsZXIgd29uJ3Qgd29yayBmb3IgbWUgYmVjYXVzZSBpIGRvbid0IGhhdmUg Z2FpbSAiaW5zdGFsbGVkIi4gaQpoYXZlIGl0IGluIGluc3RhbGxlZCB0byBteSBwZXJzb25hbCBh Y2NvdW50LiBpcyB0aGVyZSBhbnkgd2F5IHRvIGp1c3QgZ2V0CnRoZSAuZGxsPwoKYWxzbywgZGlk IGFueW9uZSBmaWd1cmUgb3V0IGhvdyB0byBydW4gZ2FpbSArIG90ciBvbiBhIGZsYXNoIGRyaXZl PyBpJ20KaW50ZXJlc3RlZCBpbiBkb2luZyB0aGF0LCBidXQgaSBkb24ndCBrbm93IHdoZXRoZXIg dGhlIHBhdGggZ2FpbSB1c2VzIHRvCmxvb2sgZm9yIHBsdWdpbnMgaXMgYWJzb2x1dGUsIHJlbGF0 aXZlIHRvIGhvbWUsIG9yIHJlbGF0aXZlIHRvIHRoZSB3b3JraW5nCmRpcmVjdG9yeS4KCnRoYW5r cywKY2xheQoKLS0KWEVST1ggQ09MT1IgTEFTRVIgUFJJTlRFUlMgUFJJTlQgQSBTRVJJRVMgT0Yg U0VDUkVUIERPVFMKT04gRVZFUlkgUEFHRSBUSEFUIElERU5USUZZIFRIRSBUSU1FIEFORCBEQVRF IFlPVSBQUklOVEVEIEEKRE9DVU1FTlQgUExVUyBUSEUgU0VSSUFMIE5VTUJFUiBPRiBUSEUgUFJJ TlRFUiBZT1UgVVNFRC4K ------=_Part_59541_27583776.1131386269396 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline dGhlIG90ciBpbnN0YWxsZXIgd29uJ3Qgd29yayBmb3IgbWUgYmVjYXVzZSBpIGRvbid0IGhhdmUg Z2FpbSAmcXVvdDtpbnN0YWxsZWQmcXVvdDsuJm5ic3A7IGkgaGF2ZSBpdCBpbiBpbnN0YWxsZWQg dG8gbXkgcGVyc29uYWwgYWNjb3VudC4mbmJzcDsgaXMgdGhlcmUgYW55IHdheSB0byBqdXN0IGdl dCB0aGUgLmRsbD88YnI+PGJyPmFsc28sIGRpZCBhbnlvbmUgZmlndXJlIG91dCBob3cgdG8gcnVu IGdhaW0gKyBvdHIgb24gYSBmbGFzaCBkcml2ZT8mbmJzcDsgaSdtIGludGVyZXN0ZWQgaW4gZG9p bmcgdGhhdCwgYnV0IGkgZG9uJ3Qga25vdyB3aGV0aGVyIHRoZSBwYXRoIGdhaW0gdXNlcyB0byBs b29rIGZvciBwbHVnaW5zIGlzIGFic29sdXRlLCByZWxhdGl2ZSB0byBob21lLCBvciByZWxhdGl2 ZSB0byB0aGUgd29ya2luZyBkaXJlY3RvcnkuCjxicj48YnI+dGhhbmtzLDxicj5jbGF5PGJyPjxi cj4tLSA8YnI+WEVST1ggQ09MT1IgTEFTRVIgUFJJTlRFUlMgUFJJTlQgQSBTRVJJRVMgT0YgU0VD UkVUIERPVFM8YnI+T04gRVZFUlkgUEFHRSBUSEFUIElERU5USUZZIFRIRSBUSU1FIEFORCBEQVRF IFlPVSBQUklOVEVEIEE8YnI+RE9DVU1FTlQgUExVUyBUSEUgU0VSSUFMIE5VTUJFUiBPRiBUSEUg UFJJTlRFUiBZT1UgVVNFRC4K ------=_Part_59541_27583776.1131386269396-- From paul@cypherpunks.ca Mon Nov 7 18:10:10 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Mon, 7 Nov 2005 19:10:10 +0100 (CET) Subject: [OTR-users] Re: [OTR-announce] New OTR software now online In-Reply-To: <20051105222604.GY847@smtp.paip.net> References: <20051105222604.GY847@smtp.paip.net> Message-ID: On Sat, 5 Nov 2005, Ian Goldberg wrote: > The new versions of libotr, gaim-otr, and otrproxy are now online, in > source form, and as Windows installers. The Fedora binaries are on > their way. Other package maintainters, start your engines. ;-) libotr and gaimotr packages have just been built on the Fedora Extra build system and should find its way to the mirrors in the next 24 hours. On Fedora Core 4, yum comes preconfigured with Fedora Extras. On Fedora Core 3, you need to add the Extras repository to yum: [extras] name=Fedora Extras $releasever - $basearch mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-extras-$releasever enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras gpgcheck=1 If you want to get them before they've hit the mirrors, use: ftp://ftp.xelerance.com:/mirror/otr/binaries/fedora/ (note those rpms are signed by me, while the fedora extra rpms are signed by the fedora key) Paul From paul@cypherpunks.ca Mon Nov 7 19:25:39 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Mon, 7 Nov 2005 20:25:39 +0100 (CET) Subject: [OTR-users] installing for windows.. In-Reply-To: <9129d8bb0511070957o349aed8bkbdd802a8a4fa94d5@mail.gmail.com> References: <9129d8bb0511070957o349aed8bkbdd802a8a4fa94d5@mail.gmail.com> Message-ID: On Mon, 7 Nov 2005, CLAY SHENTRUP wrote: > the otr installer won't work for me because i don't have gaim "installed". i > have it in installed to my personal account. is there any way to just get > the .dll? That should work as well. What is the error you are seeing? I'll try this out myself in the next few days as well. > also, did anyone figure out how to run gaim + otr on a flash drive? i'm > interested in doing that, but i don't know whether the path gaim uses to > look for plugins is absolute, relative to home, or relative to the working > directory. I am not sure how gaim does that for windows. Perhaps the sourceforge page has some details on that? Paul From CLAY@BROKENLADDER.COM Thu Nov 10 19:47:37 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Thu, 10 Nov 2005 11:47:37 -0800 Subject: [OTR-users] generating keys Message-ID: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> ------=_Part_32154_17028526.1131652057826 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline Zmlyc3Qgb2YgYWxsLCBpJ3ZlIGJlZW4gbWVhbmluZyB0byBhc2sgd2h5IHRoZXJlIGlzIG1vcmUg dGhhbiBvbmUga2V5IGluCmdhaW07IG9uZSBmb3IgZXZlcnkgYWNjb3VudC4gaSBhbHdheXMgbWFu dWFsbHkgbWFrZSB0aGVtIGFsbCB0aGUgc2FtZSBieQplZGl0aW5nIHRoZSBwcml2YXRlIGtleXMg ZmlsZS4gaXQgd291bGQgYmUgbmljZSB0byBiZSBhYmxlIHRvIHNldCBpdCB0byBqdXN0CnVzZSBv bmUga2V5IHBlciB1c2VyIHBlciBob3N0LgoKYnV0IG9uZSB0aGluZyBpIGp1c3QgaGFkIGhhcHBl biwgd2hpY2ggd2FzIHJlYWxseSB3ZWlyZCwgaXMgdGhhdCBpIHdhcyB1c2luZwphbiBhY2NvdW50 IHRoYXQgYWxyZWFkeSBoYXMgYSBrZXksIGFuZCBhIG5ldyBrZXkgd2FzIGdlbmVyYXRlZCwgb2J2 aW91c2x5CmZvcmVpZ24gdG8gbXkgZnJpZW5kLiBpIGNsb3NlZCBnYWltIGFuZCByZW1vdmVkIHRo ZSBuZXcga2V5IGZyb20gdGhlIGtleQpmaWxlLCBhbmQgcmVzdGFydGVkLi5hbmQgZXZlcnl0aGlu ZyB3b3JrZWQgZmluZS4gc28gd2h5IGRpZCBpdCBqdXN0IGFkZCBhCm5ldyBrZXkgaW4gdGhlIGZp cnN0IHBsYWNlPyEgYml6YXJyZS4KCmNsYXkKCi0tClhFUk9YIENPTE9SIExBU0VSIFBSSU5URVJT IFBSSU5UIEEgU0VSSUVTIE9GIFNFQ1JFVCBET1RTCk9OIEVWRVJZIFBBR0UgVEhBVCBJREVOVElG WSBUSEUgVElNRSBBTkQgREFURSBZT1UgUFJJTlRFRCBBCkRPQ1VNRU5UIFBMVVMgVEhFIFNFUklB TCBOVU1CRVIgT0YgVEhFIFBSSU5URVIgWU9VIFVTRUQuCg== ------=_Part_32154_17028526.1131652057826 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline Zmlyc3Qgb2YgYWxsLCBpJ3ZlIGJlZW4gbWVhbmluZyB0byBhc2sgd2h5IHRoZXJlIGlzIG1vcmUg dGhhbiBvbmUga2V5IGluIGdhaW07IG9uZSBmb3IgZXZlcnkgYWNjb3VudC4mbmJzcDsgaSBhbHdh eXMgbWFudWFsbHkgbWFrZSB0aGVtIGFsbCB0aGUgc2FtZSBieSBlZGl0aW5nIHRoZSBwcml2YXRl IGtleXMgZmlsZS4mbmJzcDsgaXQgd291bGQgYmUgbmljZSB0byBiZSBhYmxlIHRvIHNldCBpdCB0 byBqdXN0IHVzZSBvbmUga2V5IHBlciB1c2VyIHBlciBob3N0Lgo8YnI+PGJyPmJ1dCBvbmUgdGhp bmcgaSBqdXN0IGhhZCBoYXBwZW4sIHdoaWNoIHdhcyByZWFsbHkgd2VpcmQsIGlzIHRoYXQgaSB3 YXMgdXNpbmcgYW4gYWNjb3VudCB0aGF0IGFscmVhZHkgaGFzIGEga2V5LCBhbmQgYSBuZXcga2V5 IHdhcyBnZW5lcmF0ZWQsIG9idmlvdXNseSBmb3JlaWduIHRvIG15IGZyaWVuZC4mbmJzcDsgaSBj bG9zZWQgZ2FpbSBhbmQgcmVtb3ZlZCB0aGUgbmV3IGtleSBmcm9tIHRoZSBrZXkgZmlsZSwgYW5k IHJlc3RhcnRlZC4uYW5kIGV2ZXJ5dGhpbmcgd29ya2VkIGZpbmUuJm5ic3A7IHNvIHdoeSBkaWQg aXQganVzdCBhZGQgYSBuZXcga2V5IGluIHRoZSBmaXJzdCBwbGFjZT8hJm5ic3A7IGJpemFycmUu Cjxicj48YnI+Y2xheTxiciBjbGVhcj0iYWxsIj48YnI+LS0gPGJyPlhFUk9YIENPTE9SIExBU0VS IFBSSU5URVJTIFBSSU5UIEEgU0VSSUVTIE9GIFNFQ1JFVCBET1RTPGJyPk9OIEVWRVJZIFBBR0Ug VEhBVCBJREVOVElGWSBUSEUgVElNRSBBTkQgREFURSBZT1UgUFJJTlRFRCBBPGJyPkRPQ1VNRU5U IFBMVVMgVEhFIFNFUklBTCBOVU1CRVIgT0YgVEhFIFBSSU5URVIgWU9VIFVTRUQuCg== ------=_Part_32154_17028526.1131652057826-- From CLAY@BROKENLADDER.COM Thu Nov 10 20:30:31 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Thu, 10 Nov 2005 12:30:31 -0800 Subject: [OTR-users] generating keys Message-ID: <9129d8bb0511101230tdb516f0i2083904f96d666bd@mail.gmail.com> ------=_Part_32679_12275285.1131654631166 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline aSB0aGluayBpIGZvdW5kIGEgcGF0dGVybiBoZXJlLiBldmVyeSB0aW1lIGkgY2hhbmdlIHRoZSBy ZXNvdXJjZSBuYW1lLCBzYXkKZnJvbSB3b3JrIHRvIGhvbWUsIHRoYXQgY2F1c2VzIGEgbmV3IGtl eSB0byBiZSBnZW5lcmF0ZWQuCgpub3cgaSd2ZSBhbHJlYWR5IHN0YXRlZCB0aGF0IGkgdGhpbmsg aXQncyBiYWQgdG8gZ2VuZXJhdGUgYSBkaWZmZXJlbnQga2V5CmZvciBldmVyeSBhY2NvdW50LCBh cyBvcHBvc2VkIHRvIGEgcGVyIHVzZXIvbWFjaGluZS4gYnV0IGknbSBzdXJlIHRoZXJlJ3MKc29t ZSByZWFzb24gZm9yIHRoaXMgdG8gYWNjb3VudCBmb3IgdGhlIGV4dHJhIHZlcmlmaWNhdGlvbiB0 aGF0IGhhcyB0byB0YWtlCnBsYWNlICh0aGF0IGRyaXZlcyBteSBmcmllbmRzIG51dHMhKS4gaG93 ZXZlciwgaSB0aGluayBtb3N0IHBlb3BsZSB3b3VsZAphZ3JlZSB0aGF0IGEgbmV3IGtleSBqdXN0 IGZvciBjaGFuZ2luZyB0aGUgcmVzb3VyY2UgbmFtZSBvbiB0aGUgc2FtZQphY2NvdW50aXMgdGFr aW5nIGl0IGEgbGl0dGxlIHRvbyBmYXIuIGFuZCBiZXNpZGVzLCAicmVzb3VyY2UiIGlzCmJhc2lj YWxseSB0aWVkIHRvCnRoZSBsb2NhbCBkZXZpY2UuIGl0IG1ha2VzIHNlbnNlIGlmIGkgaGF2ZSBh IGRpZmZlcmVudCBrZXkgZm9yIG15IHVzYiBkcml2ZSwKd2l0aCB0aGUgcmVzb3VyY2UgYXMgIkZM QVNIIERSSVZFIiwgdGhhbiB0aGUgb25lIG9uIG15IGhvbWUgbWFjaGluZSB3aGVyZQp0aGUgcmVz b3VyY2UgaXMgIkhPTUUiLiBidXQgaG93IHdvdWxkIGl0IG1ha2Ugc2Vuc2UgdG8gaGF2ZSB0d28g ZGlmZmVyZW50CmtleXMgZm9yIHR3byBkaWZmZXJlbnQgcmVzb3VyY2VzIGZvciB0aGUgc2FtZSBh Y2NvdW50IG9uIHRoZSBzYW1lIGRldmljZT8gYW0KaSBtYWtpbmcgYW55IHNlbnNlIGhlcmU/Cgp0 aGFua3MsCmNsYXkKCi0tClhFUk9YIENPTE9SIExBU0VSIFBSSU5URVJTIFBSSU5UIEEgU0VSSUVT IE9GIFNFQ1JFVCBET1RTCk9OIEVWRVJZIFBBR0UgVEhBVCBJREVOVElGWSBUSEUgVElNRSBBTkQg REFURSBZT1UgUFJJTlRFRCBBCkRPQ1VNRU5UIFBMVVMgVEhFIFNFUklBTCBOVU1CRVIgT0YgVEhF IFBSSU5URVIgWU9VIFVTRUQuCg== ------=_Part_32679_12275285.1131654631166 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline aSB0aGluayBpIGZvdW5kIGEgcGF0dGVybiBoZXJlLiZuYnNwOyBldmVyeSB0aW1lIGkgY2hhbmdl IHRoZSByZXNvdXJjZSBuYW1lLCBzYXkgZnJvbSB3b3JrIHRvIGhvbWUsIHRoYXQgY2F1c2VzIGEg bmV3IGtleSB0byBiZSBnZW5lcmF0ZWQuPGJyPjxicj5ub3cgaSd2ZSBhbHJlYWR5IHN0YXRlZCB0 aGF0IGkgdGhpbmsgaXQncyBiYWQgdG8gZ2VuZXJhdGUgYSBkaWZmZXJlbnQga2V5IGZvciBldmVy eSBhY2NvdW50LCBhcyBvcHBvc2VkIHRvIGEgcGVyIHVzZXIvbWFjaGluZS4mbmJzcDsgYnV0IGkn bSBzdXJlIHRoZXJlJ3Mgc29tZSByZWFzb24gZm9yIHRoaXMgdG8gYWNjb3VudCBmb3IgdGhlIGV4 dHJhIHZlcmlmaWNhdGlvbiB0aGF0IGhhcyB0byB0YWtlIHBsYWNlICh0aGF0IGRyaXZlcyBteSBm cmllbmRzIG51dHMhKS4mbmJzcDsgaG93ZXZlciwgaSB0aGluayBtb3N0IHBlb3BsZSB3b3VsZCBh Z3JlZSB0aGF0IGEgbmV3IGtleSBqdXN0IGZvciBjaGFuZ2luZyB0aGUgcmVzb3VyY2UgbmFtZSBv biB0aGUgCjxzcGFuIHN0eWxlPSJmb250LXN0eWxlOiBpdGFsaWM7Ij5zYW1lIGFjY291bnQ8L3Nw YW4+IGlzIHRha2luZyBpdCBhIGxpdHRsZSB0b28gZmFyLiZuYnNwOyBhbmQgYmVzaWRlcywgJnF1 b3Q7cmVzb3VyY2UmcXVvdDsgaXMgYmFzaWNhbGx5IHRpZWQgdG8gdGhlIGxvY2FsIGRldmljZS4m bmJzcDsgaXQgbWFrZXMgc2Vuc2UgaWYgaSBoYXZlIGEgZGlmZmVyZW50IGtleSBmb3IgbXkgdXNi IGRyaXZlLCB3aXRoIHRoZSByZXNvdXJjZSBhcyAmcXVvdDtGTEFTSCBEUklWRSZxdW90OywgdGhh biB0aGUgb25lIG9uIG15IGhvbWUgbWFjaGluZSB3aGVyZSB0aGUgcmVzb3VyY2UgaXMgJnF1b3Q7 SE9NRSZxdW90Oy4mbmJzcDsgYnV0IGhvdyB3b3VsZCBpdCBtYWtlIHNlbnNlIHRvIGhhdmUgdHdv IGRpZmZlcmVudCBrZXlzIGZvciB0d28gZGlmZmVyZW50IHJlc291cmNlcyBmb3IgdGhlIHNhbWUg YWNjb3VudCBvbiB0aGUgc2FtZSBkZXZpY2U/Jm5ic3A7IGFtIGkgbWFraW5nIGFueSBzZW5zZSBo ZXJlPwo8YnI+PGJyPnRoYW5rcyw8YnI+Y2xheTxiciBjbGVhcj0iYWxsIj48YnI+LS0gPGJyPlhF Uk9YIENPTE9SIExBU0VSIFBSSU5URVJTIFBSSU5UIEEgU0VSSUVTIE9GIFNFQ1JFVCBET1RTPGJy Pk9OIEVWRVJZIFBBR0UgVEhBVCBJREVOVElGWSBUSEUgVElNRSBBTkQgREFURSBZT1UgUFJJTlRF RCBBPGJyPkRPQ1VNRU5UIFBMVVMgVEhFIFNFUklBTCBOVU1CRVIgT0YgVEhFIFBSSU5URVIgWU9V IFVTRUQuCg== ------=_Part_32679_12275285.1131654631166-- From ian@cypherpunks.ca Thu Nov 10 20:29:22 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 10 Nov 2005 15:29:22 -0500 Subject: [OTR-users] generating keys In-Reply-To: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> References: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> Message-ID: <20051110202922.GW847@smtp.paip.net> On Thu, Nov 10, 2005 at 11:47:37AM -0800, CLAY SHENTRUP wrote: > first of all, i've been meaning to ask why there is more than one key in > gaim; one for every account. i always manually make them all the same by > editing the private keys file. it would be nice to be able to set it to just > use one key per user per host. Different accounts have different keys, because people may not want it to be obvious that accounts X and Y actually belong to the same person. You can just put a couple of extra lines on your web page, like this: http://r6.ca/russellotr.asc > but one thing i just had happen, which was really weird, is that i was using > an account that already has a key, and a new key was generated, obviously > foreign to my friend. i closed gaim and removed the new key from the key > file, and restarted..and everything worked fine. so why did it just add a > new key in the first place?! bizarre. The most probable thing that jumps to mind is that when you edited the private keys file by hand, you ended up with an invalid key somewhere (a mismatched paren, possibly). When the new key was created, the keys file would have been rewritten correctly. Would that match the behaviour you saw? - Ian From CLAY@BROKENLADDER.COM Thu Nov 10 21:06:37 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Thu, 10 Nov 2005 13:06:37 -0800 Subject: [OTR-users] key confusion Message-ID: <9129d8bb0511101306h4e30bfa0hf33c06053782a0a2@mail.gmail.com> ------=_Part_33228_4919425.1131656797532 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline bm93IGkganVzdCBoYWQgdGhpcyBwcm9ibGVtIHdoZXJlIGkgYWxyZWFkeSBoYWQgYSB2ZXJpZmll ZCBrZXkgZmluZ2VycHJpbnQKZm9yIG15IGZyaWVuZCwgYW5kIG90ciBwb3BwZWQgdXAgd2hlbiBp IHN0YXJ0ZWQgYSBzZXNzaW9uIHdpdGggaGltLCB0ZWxsaW5nCm1lIGhlIHdhcyB1c2luZyBhbiB1 bnJlY29nbml6ZWQgZmluZ2VycHJpbnQuIHNvIGkgbG9va2VkIGluIG15IGtub3duCmZpbmdlcnBy aW50cyBsaXN0LCBhbmQgaXQgd2FzIGFscmVhZHkgaW4gdGhlcmUgYW5kIGFkZGVkIGEgc2Vjb25k IHRpbWUuCgp3aGVuIHRoYXQgc2Vzc2lvbiB3YXMgb3ZlciB3aXRoLCBpICJmb3Jnb3QiIHRoZSBu ZXcgY29weSwgYW5kIHJlc3RhcnRlZApnYWltLiB0aGUgZmluZ2VycHJpbnQgd2FzIGluIG15IGxp c3QuIGkgc3RhcnRlZCBhIHNlc3Npb24gd2l0aCBoaW0gYWdhaW4sCmFuZCBpdCB3YXMgYWRkZWQg YWdhaW4sIHNvIGFnYWluIHRoZXJlIHdlcmUgdHdvIGNvcGllcyBvZiBpdC4gZXZlbnR1YWxseSBp Cmp1c3QgZm9yZ290IHRoZSBvbGQgY29weSBhbmQganVzdCBzZXR0bGVkIG9uIHRoZSBuZXcgKGlk ZW50aWNhbCkgb25lLgoKaSBhbHNvIGtlcHQgZ2V0dGluZyB0aGlzIGVycm9yIGxpa2UsICJzZW50 IGltcHJvcGVybHkgZm9ybWVkIGVuY3J5cHRlZAptZXNzYWdlIiBvciBzb21ldGhpbmcgdG8gdGhh dCBlZmZlY3QuCgpzb3VuZHMgbGlrZSB3ZSBnb3Qgc29tZSBidWdzIHRvIHdvcmsgb3V0LgoKdGhh bmtzCmNsYXkKCi0tClhFUk9YIENPTE9SIExBU0VSIFBSSU5URVJTIFBSSU5UIEEgU0VSSUVTIE9G IFNFQ1JFVCBET1RTCk9OIEVWRVJZIFBBR0UgVEhBVCBJREVOVElGWSBUSEUgVElNRSBBTkQgREFU RSBZT1UgUFJJTlRFRCBBCkRPQ1VNRU5UIFBMVVMgVEhFIFNFUklBTCBOVU1CRVIgT0YgVEhFIFBS SU5URVIgWU9VIFVTRUQuCg== ------=_Part_33228_4919425.1131656797532 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline bm93IGkganVzdCBoYWQgdGhpcyBwcm9ibGVtIHdoZXJlIGkgYWxyZWFkeSBoYWQgYSB2ZXJpZmll ZCBrZXkgZmluZ2VycHJpbnQgZm9yIG15IGZyaWVuZCwgYW5kIG90ciBwb3BwZWQgdXAgd2hlbiBp IHN0YXJ0ZWQgYSBzZXNzaW9uIHdpdGggaGltLCB0ZWxsaW5nIG1lIGhlIHdhcyB1c2luZyBhbiB1 bnJlY29nbml6ZWQgZmluZ2VycHJpbnQuJm5ic3A7IHNvIGkgbG9va2VkIGluIG15IGtub3duIGZp bmdlcnByaW50cyBsaXN0LCBhbmQgaXQgd2FzIGFscmVhZHkgaW4gdGhlcmUgYW5kIGFkZGVkIGEg c2Vjb25kIHRpbWUuCjxicj48YnI+d2hlbiB0aGF0IHNlc3Npb24gd2FzIG92ZXIgd2l0aCwgaSAm cXVvdDtmb3Jnb3QmcXVvdDsgdGhlIG5ldyBjb3B5LCBhbmQgcmVzdGFydGVkIGdhaW0uJm5ic3A7 IHRoZSBmaW5nZXJwcmludCB3YXMgaW4gbXkgbGlzdC4mbmJzcDsgaSBzdGFydGVkIGEgc2Vzc2lv biB3aXRoIGhpbSBhZ2FpbiwgYW5kIGl0IHdhcyBhZGRlZCBhZ2Fpbiwgc28gYWdhaW4gdGhlcmUg d2VyZSB0d28gY29waWVzIG9mIGl0LiZuYnNwOyBldmVudHVhbGx5IGkganVzdCBmb3Jnb3QgdGhl IG9sZCBjb3B5IGFuZCBqdXN0IHNldHRsZWQgb24gdGhlIG5ldyAoaWRlbnRpY2FsKSBvbmUuCjxi cj48YnI+aSBhbHNvIGtlcHQgZ2V0dGluZyB0aGlzIGVycm9yIGxpa2UsICZxdW90O3NlbnQgaW1w cm9wZXJseSBmb3JtZWQgZW5jcnlwdGVkIG1lc3NhZ2UmcXVvdDsgb3Igc29tZXRoaW5nIHRvIHRo YXQgZWZmZWN0Ljxicj48YnI+c291bmRzIGxpa2Ugd2UgZ290IHNvbWUgYnVncyB0byB3b3JrIG91 dC48YnI+PGJyPnRoYW5rczxicj5jbGF5PGJyIGNsZWFyPSJhbGwiPjxicj4tLSA8YnI+ClhFUk9Y IENPTE9SIExBU0VSIFBSSU5URVJTIFBSSU5UIEEgU0VSSUVTIE9GIFNFQ1JFVCBET1RTPGJyPk9O IEVWRVJZIFBBR0UgVEhBVCBJREVOVElGWSBUSEUgVElNRSBBTkQgREFURSBZT1UgUFJJTlRFRCBB PGJyPkRPQ1VNRU5UIFBMVVMgVEhFIFNFUklBTCBOVU1CRVIgT0YgVEhFIFBSSU5URVIgWU9VIFVT RUQuCg== ------=_Part_33228_4919425.1131656797532-- From CLAY@BROKENLADDER.COM Thu Nov 10 21:53:12 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Thu, 10 Nov 2005 13:53:12 -0800 Subject: [OTR-users] generating keys In-Reply-To: <20051110202922.GW847@smtp.paip.net> References: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> <20051110202922.GW847@smtp.paip.net> Message-ID: <9129d8bb0511101353k199d3d42k3159cdd5d3d920d7@mail.gmail.com> ------=_Part_33841_5881208.1131659592636 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline Pgo+IERpZmZlcmVudCBhY2NvdW50cyBoYXZlIGRpZmZlcmVudCBrZXlzLCBiZWNhdXNlIHBlb3Bs ZSBtYXkgbm90IHdhbnQgaXQKPgp0byBiZSBvYnZpb3VzIHRoYXQgYWNjb3VudHMgWCBhbmQgWSBh Y3R1YWxseSBiZWxvbmcgdG8gdGhlIHNhbWUgcGVyc29uLgoKCmxpa2UgaSBzYWlkLCBpIGtuZXcg eW91J2QgaGF2ZSBhbiBleHBsYW5hdGlvbiBmb3IgdGhpcy4gaXQgd291bGQgYmUgbmljZSB0bwpi ZSBhYmxlIHRvIHR1cm4gdGhpcyBmZWF0dXJlIG9mZiB0aG91Z2guCgpZb3UgY2FuIGp1c3QgcHV0 IGEgY291cGxlIG9mIGV4dHJhIGxpbmVzIG9uIHlvdXIgd2ViIHBhZ2UsIGxpa2UgdGhpczoKPiBo dHRwOi8vcjYuY2EvcnVzc2VsbG90ci5hc2MKCgp0aGF0IHByZXN1bWVzIG9uZSBoYXMgYSB3ZWIg cGFnZSBhbmQgdGhhdCBpdCBpcyB0cnVzdHdvcnRoeS4gc3VwcG9zZSB0aGUgY2lhCmhhY2tlZCBp dD8gbm90IGEgZ3JlYXQgcGxhY2UgdG8gcGxhY2UgdHJ1c3QgaW1vLiBteSBzb2x1dGlvbiBvZiBq dXN0Cm1hbnVhbGx5IGFsdGVyaW5nIHRoZSBrZXlzIGZpbGUgc2VlbXMgdG8gd29yayB3ZWxsLCBi ZWNhdXNlIGl0IGRvZXNuJ3QgZm9yY2UKbXVsdGlwbGUgdm9pY2UgdmVyaWZpY2F0aW9ucyAocGhv bmUgY2FsbHMpLgoKPiBidXQgb25lIHRoaW5nIGkganVzdCBoYWQgaGFwcGVuLCB3aGljaCB3YXMg cmVhbGx5IHdlaXJkLCBpcyB0aGF0IGkgd2FzCj4gdXNpbmcKPiA+IGFuIGFjY291bnQgdGhhdCBh bHJlYWR5IGhhcyBhIGtleSwgYW5kIGEgbmV3IGtleSB3YXMgZ2VuZXJhdGVkLAo+IG9idmlvdXNs eQo+ID4gZm9yZWlnbiB0byBteSBmcmllbmQuIGkgY2xvc2VkIGdhaW0gYW5kIHJlbW92ZWQgdGhl IG5ldyBrZXkgZnJvbSB0aGUga2V5Cj4gPiBmaWxlLCBhbmQgcmVzdGFydGVkLi5hbmQgZXZlcnl0 aGluZyB3b3JrZWQgZmluZS4gc28gd2h5IGRpZCBpdCBqdXN0IGFkZAo+IGEKPiA+IG5ldyBrZXkg aW4gdGhlIGZpcnN0IHBsYWNlPyEgYml6YXJyZS4KPgo+IFRoZSBtb3N0IHByb2JhYmxlIHRoaW5n IHRoYXQganVtcHMgdG8gbWluZCBpcyB0aGF0IHdoZW4geW91IGVkaXRlZCB0aGUKPiBwcml2YXRl IGtleXMgZmlsZSBieSBoYW5kLCB5b3UgZW5kZWQgdXAgd2l0aCBhbiBpbnZhbGlkIGtleSBzb21l d2hlcmUgKGEKPiBtaXNtYXRjaGVkIHBhcmVuLCBwb3NzaWJseSkuIFdoZW4gdGhlIG5ldyBrZXkg d2FzIGNyZWF0ZWQsIHRoZSBrZXlzCj4gZmlsZSB3b3VsZCBoYXZlIGJlZW4gcmV3cml0dGVuIGNv cnJlY3RseS4KCgpub3BlLiB3aGF0IGhhcHBlbmVkIHdhcyB0aGUgcmVzb3VyY2UgY2hhbmdlZCwg bGlrZSBhIGV4cGxhaW5lZCBpbiBhIGxhdGVyCmVtYWlsLgoKdGhhbmtzLApjbGF5Cg== ------=_Part_33841_5881208.1131659592636 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline PGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlci1sZWZ0OiAxcHggc29saWQgcmdiKDIwNCwgMjA0LCAy MDQpOyBtYXJnaW46IDBwdCAwcHQgMHB0IDAuOGV4OyBwYWRkaW5nLWxlZnQ6IDFleDsiIGNsYXNz PSJnbWFpbF9xdW90ZSI+RGlmZmVyZW50IGFjY291bnRzIGhhdmUgZGlmZmVyZW50IGtleXMsIGJl Y2F1c2UgcGVvcGxlIG1heSBub3Qgd2FudCBpdDxicj48L2Jsb2NrcXVvdGU+PGRpdj48YmxvY2tx dW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJib3JkZXItbGVmdDogMXB4IHNvbGlkIHJn YigyMDQsIDIwNCwgMjA0KTsgbWFyZ2luOiAwcHQgMHB0IDBwdCAwLjhleDsgcGFkZGluZy1sZWZ0 OiAxZXg7Ij4KdG8gYmUgb2J2aW91cyB0aGF0IGFjY291bnRzIFggYW5kIFkgYWN0dWFsbHkgYmVs b25nIHRvIHRoZSBzYW1lIHBlcnNvbi48L2Jsb2NrcXVvdGU+PGRpdj48YnI+bGlrZSBpIHNhaWQs IGkga25ldyB5b3UnZCBoYXZlIGFuIGV4cGxhbmF0aW9uIGZvciB0aGlzLiZuYnNwOyBpdCB3b3Vs ZCBiZSBuaWNlIHRvIGJlIGFibGUgdG8gdHVybiB0aGlzIGZlYXR1cmUgb2ZmIHRob3VnaC48YnI+ PGJyPjwvZGl2Pgo8YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJib3JkZXIt bGVmdDogMXB4IHNvbGlkIHJnYigyMDQsIDIwNCwgMjA0KTsgbWFyZ2luOiAwcHQgMHB0IDBwdCAw LjhleDsgcGFkZGluZy1sZWZ0OiAxZXg7Ij5Zb3UgY2FuIGp1c3QgcHV0IGEgY291cGxlIG9mIGV4 dHJhIGxpbmVzIG9uIHlvdXIgd2ViIHBhZ2UsIGxpa2UgdGhpczo8YnI+PGEgaHJlZj0iaHR0cDov L3I2LmNhL3J1c3NlbGxvdHIuYXNjIj4KaHR0cDovL3I2LmNhL3J1c3NlbGxvdHIuYXNjPC9hPjwv YmxvY2txdW90ZT48ZGl2Pjxicj50aGF0IHByZXN1bWVzIG9uZSBoYXMgYSB3ZWIgcGFnZSBhbmQg dGhhdCBpdCBpcyB0cnVzdHdvcnRoeS4mbmJzcDsgc3VwcG9zZSB0aGUgY2lhIGhhY2tlZCBpdD8m bmJzcDsgbm90IGEgZ3JlYXQgcGxhY2UgdG8gcGxhY2UgdHJ1c3QgaW1vLiZuYnNwOyBteSBzb2x1 dGlvbiBvZiBqdXN0IG1hbnVhbGx5IGFsdGVyaW5nIHRoZSBrZXlzIGZpbGUgc2VlbXMgdG8gd29y ayB3ZWxsLCBiZWNhdXNlIGl0IGRvZXNuJ3QgZm9yY2UgbXVsdGlwbGUgdm9pY2UgdmVyaWZpY2F0 aW9ucyAocGhvbmUgY2FsbHMpLgo8YnI+PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFp bF9xdW90ZSIgc3R5bGU9ImJvcmRlci1sZWZ0OiAxcHggc29saWQgcmdiKDIwNCwgMjA0LCAyMDQp OyBtYXJnaW46IDBwdCAwcHQgMHB0IDAuOGV4OyBwYWRkaW5nLWxlZnQ6IDFleDsiPiZndDsgYnV0 IG9uZSB0aGluZyBpIGp1c3QgaGFkIGhhcHBlbiwgd2hpY2ggd2FzIHJlYWxseSB3ZWlyZCwgaXMg dGhhdCBpIHdhcyB1c2luZwo8YnI+Jmd0OyBhbiBhY2NvdW50IHRoYXQgYWxyZWFkeSBoYXMgYSBr ZXksIGFuZCBhIG5ldyBrZXkgd2FzIGdlbmVyYXRlZCwgb2J2aW91c2x5PGJyPiZndDsgZm9yZWln biB0byBteSBmcmllbmQuIGkgY2xvc2VkIGdhaW0gYW5kIHJlbW92ZWQgdGhlIG5ldyBrZXkgZnJv bSB0aGUga2V5PGJyPiZndDsgZmlsZSwgYW5kIHJlc3RhcnRlZC4uYW5kIGV2ZXJ5dGhpbmcgd29y a2VkIGZpbmUuIHNvIHdoeSBkaWQgaXQganVzdCBhZGQgYQo8YnI+Jmd0OyBuZXcga2V5IGluIHRo ZSBmaXJzdCBwbGFjZT8hIGJpemFycmUuPGJyPjxicj5UaGUgbW9zdCBwcm9iYWJsZSB0aGluZyB0 aGF0IGp1bXBzIHRvIG1pbmQgaXMgdGhhdCB3aGVuIHlvdSBlZGl0ZWQgdGhlPGJyPnByaXZhdGUg a2V5cyBmaWxlIGJ5IGhhbmQsIHlvdSBlbmRlZCB1cCB3aXRoIGFuIGludmFsaWQga2V5IHNvbWV3 aGVyZSAoYTxicj5taXNtYXRjaGVkIHBhcmVuLCBwb3NzaWJseSkuJm5ic3A7Jm5ic3A7V2hlbiB0 aGUgbmV3IGtleSB3YXMgY3JlYXRlZCwgdGhlIGtleXMKPGJyPmZpbGUgd291bGQgaGF2ZSBiZWVu IHJld3JpdHRlbiBjb3JyZWN0bHkuPC9ibG9ja3F1b3RlPjxkaXY+PGJyPm5vcGUuJm5ic3A7IHdo YXQgaGFwcGVuZWQgd2FzIHRoZSByZXNvdXJjZSBjaGFuZ2VkLCBsaWtlIGEgZXhwbGFpbmVkIGlu IGEgbGF0ZXIgZW1haWwuPGJyPjwvZGl2PjwvZGl2Pjxicj50aGFua3MsPGJyPmNsYXk8YnI+Cg== ------=_Part_33841_5881208.1131659592636-- From ian@cypherpunks.ca Thu Nov 10 22:05:18 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 10 Nov 2005 17:05:18 -0500 Subject: [OTR-users] generating keys In-Reply-To: <9129d8bb0511101353k199d3d42k3159cdd5d3d920d7@mail.gmail.com> References: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> <20051110202922.GW847@smtp.paip.net> <9129d8bb0511101353k199d3d42k3159cdd5d3d920d7@mail.gmail.com> Message-ID: <20051110220518.GX847@smtp.paip.net> On Thu, Nov 10, 2005 at 01:53:12PM -0800, CLAY SHENTRUP wrote: > You can just put a couple of extra lines on your web page, like this: > > http://r6.ca/russellotr.asc > > > that presumes one has a web page and that it is trustworthy. suppose the cia > hacked it? not a great place to place trust imo. No, there's no problem, even if the CIA hacks it, since it's GPG-signed. What you're doing here is leveraging existing trust (GPG) to authenticate your new (OTR) keys. I agree that it's approximately pointless to put unsigned copies of your OTR keys on your webpage. But if you've got GPG, and you put up a signed copy, you'll never have to do the voice verification with your friends again (assuming they already trust your GPG key). - Ian From CLAY@BROKENLADDER.COM Thu Nov 10 23:22:06 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Thu, 10 Nov 2005 15:22:06 -0800 Subject: [OTR-users] generating keys In-Reply-To: <20051110220518.GX847@smtp.paip.net> References: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> <20051110202922.GW847@smtp.paip.net> <9129d8bb0511101353k199d3d42k3159cdd5d3d920d7@mail.gmail.com> <20051110220518.GX847@smtp.paip.net> Message-ID: <9129d8bb0511101522s2244ffafl8a98b2484154a5b7@mail.gmail.com> ------=_Part_34733_17958951.1131664926886 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline Pgo+IEkgYWdyZWUgdGhhdCBpdCdzIGFwcHJveGltYXRlbHkKPgpwb2ludGxlc3MgdG8gcHV0IHVu c2lnbmVkIGNvcGllcyBvZiB5b3VyIE9UUiBrZXlzIG9uIHlvdXIgd2VicGFnZS4KPiBCdXQgaWYg eW91J3ZlIGdvdCBHUEcsIGFuZCB5b3UgcHV0IHVwIGEgc2lnbmVkIGNvcHksIHlvdSdsbCBuZXZl ciBoYXZlCj4gdG8gZG8gdGhlIHZvaWNlIHZlcmlmaWNhdGlvbiB3aXRoIHlvdXIgZnJpZW5kcyBh Z2FpbiAoYXNzdW1pbmcgdGhleQo+IGFscmVhZHkgdHJ1c3QgeW91ciBHUEcga2V5KS4KCgpraW5k IG9mIHBhc3NpbmcgdGhlIGJ1Y2sgZWg/IDspCgotY2xheQo= ------=_Part_34733_17958951.1131664926886 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline PGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlci1sZWZ0OiAxcHggc29saWQgcmdiKDIwNCwgMjA0LCAy MDQpOyBtYXJnaW46IDBwdCAwcHQgMHB0IDAuOGV4OyBwYWRkaW5nLWxlZnQ6IDFleDsiIGNsYXNz PSJnbWFpbF9xdW90ZSI+SSBhZ3JlZSB0aGF0IGl0J3MgYXBwcm94aW1hdGVseTxicj48L2Jsb2Nr cXVvdGU+PGRpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJib3JkZXIt bGVmdDogMXB4IHNvbGlkIHJnYigyMDQsIDIwNCwgMjA0KTsgbWFyZ2luOiAwcHQgMHB0IDBwdCAw LjhleDsgcGFkZGluZy1sZWZ0OiAxZXg7Ij4KcG9pbnRsZXNzIHRvIHB1dCB1bnNpZ25lZCBjb3Bp ZXMgb2YgeW91ciBPVFIga2V5cyBvbiB5b3VyIHdlYnBhZ2UuPGJyPkJ1dCBpZiB5b3UndmUgZ290 IEdQRywgYW5kIHlvdSBwdXQgdXAgYSBzaWduZWQgY29weSwgeW91J2xsIG5ldmVyIGhhdmU8YnI+ dG8gZG8gdGhlIHZvaWNlIHZlcmlmaWNhdGlvbiB3aXRoIHlvdXIgZnJpZW5kcyBhZ2FpbiA8c3Bh biBzdHlsZT0iZm9udC1zdHlsZTogaXRhbGljOyI+Cihhc3N1bWluZyB0aGV5PC9zcGFuPjxiciBz dHlsZT0iZm9udC1zdHlsZTogaXRhbGljOyI+PHNwYW4gc3R5bGU9ImZvbnQtc3R5bGU6IGl0YWxp YzsiPmFscmVhZHkgdHJ1c3QgeW91ciBHUEcga2V5KTwvc3Bhbj4uPC9ibG9ja3F1b3RlPjxkaXY+ PGJyPmtpbmQgb2YgcGFzc2luZyB0aGUgYnVjayBlaD8gOyk8YnI+PGJyPi1jbGF5PC9kaXY+PC9k aXY+Cg== ------=_Part_34733_17958951.1131664926886-- From paul@cypherpunks.ca Fri Nov 11 06:01:42 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Fri, 11 Nov 2005 07:01:42 +0100 (CET) Subject: automating GPG/OTR lookups, was Re: [OTR-users] generating keys In-Reply-To: <20051110220518.GX847@smtp.paip.net> References: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> <20051110202922.GW847@smtp.paip.net> <9129d8bb0511101353k199d3d42k3159cdd5d3d920d7@mail.gmail.com> <20051110220518.GX847@smtp.paip.net> Message-ID: On Thu, 10 Nov 2005, Ian Goldberg wrote: > No, there's no problem, even if the CIA hacks it, since it's GPG-signed. > What you're doing here is leveraging existing trust (GPG) to > authenticate your new (OTR) keys. I agree that it's approximately > pointless to put unsigned copies of your OTR keys on your webpage. > But if you've got GPG, and you put up a signed copy, you'll never have > to do the voice verification with your friends again (assuming they > already trust your GPG key). We need a plugin, I agree. The problem is that I'd like to be able to do the following: - Automate key verification (requires some standard) (eg GPG signing, in some recognisable format) - Not store all (signed) keys in one place preferably (but we could, since it is signed with). Distribution is good. We could think of some 'standard way' of adding an "otr" identity to our existing GPG keys. I currently have multiple IDs with my key. They are currently all linking email identities. But it could also link an OTR identity. The information we need to put in such an additional PGP/GPG identity is: 1) Protocol / server (AIM, MSN, jabber@jabber.org, jabber@jabber.xs4all.nl) 2) IM name(s) (multiple in case of jabber? Or allow PaulWouters/* ?) 3) OTR fingerprint, [4) OTR version?]. Then we just need a plugin that queries GPG/PGP servers. I am not sure if we can do wildcard searches effectively on those servers, or whether we need to use OTR to inline communicate the GPG keyid that supposedly signed our OTR fingerprint. eg do a leap of faith and verify. One thing that comes to mind is it creates cruft in the keyservers, but AFAIK those are being cleaned up in a way that 'any old data not resigned will be deleted', so that things like lost private keys will not clutter up the key servers. You would likely want to use reasonably short lived keys for this reason. You can't keep adding identities to your real key, it would be come a mess. So I think what we need is to create a subkey (or new GPG key especially for OTR) that is just signed by your real GPG/PGP key. It can expire quickly, you can make a new one, and even revoke it if your OTR private key is stolen. Is this scheme vulnerable to an attack? Are there potential key rollover issues? Will the GPG keyserver people hunt us down for doing this? Paul From CLAY@BROKENLADDER.COM Fri Nov 11 06:43:31 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Thu, 10 Nov 2005 22:43:31 -0800 Subject: [OTR-users] the brotherhood Message-ID: <9129d8bb0511102243m65eb2fc0i689aa75871d64d20@mail.gmail.com> ------=_Part_38677_18493929.1131691411229 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline b2gsIGFuZCBqdXN0IGEgcXVpY2sgcXVlc3Rpb24uIGZvciBhbnlvbmUgd2hvJ3MgcmVhZCAxOTg0 Li4KCmRvZXMgYSAiYnJvdGhlcmhvb2QiIGV4aXN0PwoKbXkgb3BlbnBncCBrZXk8aHR0cDovL2Vz a2lsby53YXJwbWFpbC5uZXQvQ0xBWSUyMFNIRU5UUlVQJTIwJTI4VVNFJTIwRk9SJTIwQU5ZJTIw JTQwQlJPS0VOTEFEREVSLkNPTSUyMEFERFJFU1MuJTI5JTIwQ0xBWSU0MEJST0tFTkxBRERFUi5D T00lMjAlMjgweDI2Nzk5QUJCJTI5JTIwcHViLmFzYz4KCi0tClhFUk9YIENPTE9SIExBU0VSIFBS SU5URVJTIFBSSU5UIEEgU0VSSUVTIE9GIFNFQ1JFVCBET1RTCk9OIEVWRVJZIFBBR0UgVEhBVCBJ REVOVElGWSBUSEUgVElNRSBBTkQgREFURSBZT1UgUFJJTlRFRCBBCkRPQ1VNRU5UIFBMVVMgVEhF IFNFUklBTCBOVU1CRVIgT0YgVEhFIFBSSU5URVIgWU9VIFVTRUQuCg== ------=_Part_38677_18493929.1131691411229 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline b2gsIGFuZCBqdXN0IGEgcXVpY2sgcXVlc3Rpb24uJm5ic3A7IGZvciBhbnlvbmUgd2hvJ3MgcmVh ZCA8c3BhbiBzdHlsZT0iZm9udC1zdHlsZTogaXRhbGljOyI+MTk4NDwvc3Bhbj4uLjxicj4KPGJy Pgpkb2VzIGEgJnF1b3Q7YnJvdGhlcmhvb2QmcXVvdDsgZXhpc3Q/PGJyPgo8YnI+CjxhIGhyZWY9 Imh0dHA6Ly9lc2tpbG8ud2FycG1haWwubmV0L0NMQVklMjBTSEVOVFJVUCUyMCUyOFVTRSUyMEZP UiUyMEFOWSUyMCU0MEJST0tFTkxBRERFUi5DT00lMjBBRERSRVNTLiUyOSUyMENMQVklNDBCUk9L RU5MQURERVIuQ09NJTIwJTI4MHgyNjc5OUFCQiUyOSUyMHB1Yi5hc2MiPm15IG9wZW5wZ3Aga2V5 PC9hPjxiciBjbGVhcj0iYWxsIj48YnI+LS0gPGJyPlhFUk9YIENPTE9SIExBU0VSIFBSSU5URVJT IFBSSU5UIEEgU0VSSUVTIE9GIFNFQ1JFVCBET1RTCjxicj5PTiBFVkVSWSBQQUdFIFRIQVQgSURF TlRJRlkgVEhFIFRJTUUgQU5EIERBVEUgWU9VIFBSSU5URUQgQTxicj5ET0NVTUVOVCBQTFVTIFRI RSBTRVJJQUwgTlVNQkVSIE9GIFRIRSBQUklOVEVSIFlPVSBVU0VELgo= ------=_Part_38677_18493929.1131691411229-- From paul@cypherpunks.ca Fri Nov 11 16:41:06 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Fri, 11 Nov 2005 17:41:06 +0100 (CET) Subject: automating GPG/OTR lookups, was Re: [OTR-users] generating keys In-Reply-To: <9129d8bb0511102234i4d82f489m6f00a6fc2b6491ab@mail.gmail.com> References: <9129d8bb0511101147q1c6cbd78j1f5c32fc7286b08f@mail.gmail.com> <20051110202922.GW847@smtp.paip.net> <9129d8bb0511101353k199d3d42k3159cdd5d3d920d7@mail.gmail.com> <20051110220518.GX847@smtp.paip.net> <9129d8bb0511102234i4d82f489m6f00a6fc2b6491ab@mail.gmail.com> Message-ID: On Thu, 10 Nov 2005, CLAY SHENTRUP wrote: > my only point leading into this was simply, i don't want a different key > made for every resource. there should just be one key generated per account > per .gaim folder. this also makes sense with respect to the fact that > non-jabber accounts don't even have "resource". I think the only way to do this (ofcourse assuming you want to publicly link your identity to an OTR identity to begin with) is to have one key with subkeys as identities. > as for using gpg; if you want to do it, just put your pgp-signed otr > fingerprint on your web site, or as an email attachment. wouldn't that > suffice? The whole point is that this approach does not automate in a plugin for people. I want the otr plugin to check my public pgp key ring, and then be able to automatically verify keys signed by people I trust through my web of trust. Eg If I have Ian's key, and i trust him fully, and he has signed Nikita's key, then if Nikita OTR's me, I want to see a verified fingerprint without me doing anything. Paul -- "Happiness is never grand" --- Mustapha Mond, World Controller (Brave New World) From bdesham@gmail.com Sat Nov 12 03:45:51 2005 From: bdesham@gmail.com (Benjamin Esham) Date: Fri, 11 Nov 2005 22:45:51 -0500 Subject: [OTR-users] Newbie questions about verifying your buddies' fingerprints Message-ID: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1-988612436 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=WINDOWS-1252; delsp=yes; format=flowed Hello all, I'm using the OTR plugin for Adium (so I'm using the older version of =20= the OTR protocol). The idea of encrypted IMing is great, though I =20 haven't yet been able to coerce any of my friends to convert to an =20 OTR-capable IM client :-) My question is this: I should be verifying my buddies' fingerprints =20 before I start conversations, right? In other words, is OTR like =20 OpenPGP to the extent that I need to verify that the key =20 [fingerprint] really belongs to the buddy I think I'm talking to? =20 This seems like a standard process for encrypted information =20 exchange, but the website says nothing about confirming your buddy's =20 fingerprint. If it is true that you should verify your fingerprints, would it make =20= sense (as another poster just asked) to publish my OTR fingerprint =20 online, signed by my GPG key? (If /that/'s true, is there any =20 particular reason why the window displaying the fingerprint in Adium =20 won't allow the fingerprint to be copied, and even disappears when =20 switching to another application?) Thanks for answers to any of these questions! --=20 Benjamin D. Esham bdesham@gmail.com | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia =95 http://en.wikipedia.org --Apple-Mail-1-988612436 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) iD8DBQFDdWV3zOC3TdZ2u5oRAk75AJ4wSPMCV+y58o+CgunVcbfjU8ZlOQCgyWeG 9Lc5Z/Cou3zlsSuaCbftUaU= =hcmp -----END PGP SIGNATURE----- --Apple-Mail-1-988612436-- From ian@cypherpunks.ca Sat Nov 12 03:53:57 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 11 Nov 2005 22:53:57 -0500 Subject: [OTR-users] Newbie questions about verifying your buddies' fingerprints In-Reply-To: References: Message-ID: <20051112035357.GG847@smtp.paip.net> On Fri, Nov 11, 2005 at 10:45:51PM -0500, Benjamin Esham wrote: > Hello all, > > I'm using the OTR plugin for Adium (so I'm using the older version of > the OTR protocol). The idea of encrypted IMing is great, though I > haven't yet been able to coerce any of my friends to convert to an > OTR-capable IM client :-) > > My question is this: I should be verifying my buddies' fingerprints > before I start conversations, right? In other words, is OTR like > OpenPGP to the extent that I need to verify that the key > [fingerprint] really belongs to the buddy I think I'm talking to? > This seems like a standard process for encrypted information > exchange, but the website says nothing about confirming your buddy's > fingerprint. Everything you say is correct. In the new gaim-otr, there's more help text (both in an expander in the "unknown fingerprint" dialog, as well as in web-based help reachable from various places in the app) to explain the process. > If it is true that you should verify your fingerprints, would it make > sense (as another poster just asked) to publish my OTR fingerprint > online, signed by my GPG key? Yup, that's a perfectly reasonable thing to do. [Make sure to include your IM name and protocol along with the fingerprint in the signed message, though.] > (If /that/'s true, is there any > particular reason why the window displaying the fingerprint in Adium > won't allow the fingerprint to be copied, and even disappears when > switching to another application?) Can't help you with that; I don't use OS X. Evan's responsible for the OTR integration in Adium X. Evan, can you speak to this issue? - Ian From bdesham@gmail.com Sat Nov 12 05:28:11 2005 From: bdesham@gmail.com (Benjamin Esham) Date: Sat, 12 Nov 2005 00:28:11 -0500 Subject: [OTR-users] Newbie questions about verifying your buddies' fingerprints In-Reply-To: <20051112035357.GG847@smtp.paip.net> References: <20051112035357.GG847@smtp.paip.net> Message-ID: <8830734C-5CFF-4392-88F2-00FE679191A9@gmail.com> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1-994752714 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed Ian Goldberg wrote: > Benjamin Esham wrote: > >> I should be verifying my buddies' fingerprints before I start >> conversations, right? [snip] > > Everything you say is correct. In the new gaim-otr, there's more help > text (both in an expander in the "unknown fingerprint" dialog, as =20 > well as > in web-based help reachable from various places in the app) to =20 > explain the > process. OK. Maybe it's just because I'm using Adium and not Gaim, but in any =20= event I never saw this part of the process explained. >> If it is true that you should verify your fingerprints, would it make >> sense (as another poster just asked) to publish my OTR fingerprint >> online, signed by my GPG key? > > Yup, that's a perfectly reasonable thing to do. [Make sure to include > your IM name and protocol along with the fingerprint in the signed > message, though.] OK, done :-) >> (If /that/'s true, is there any particular reason why the window >> displaying the fingerprint in Adium won't allow the fingerprint to be >> copied, and even disappears when switching to another application?) > > Can't help you with that; I don't use OS X. Evan's responsible for =20= > the > OTR integration in Adium X. Evan, can you speak to this issue? To be fair, this is probably a bug, not an intended feature. (It is a rather annoying bug, though; 40-character hashes sound like a great idea until you have to manually retype one, switching applications every 4 characters :-)) Thanks for clearing up these questions! Cheers, -- Benjamin D. Esham bdesham@gmail.com | http://bdesham.net | AIM: bdesham128 "The wizards represent all that the true 'Muggle' most fears: They are plainly outcasts and comfortable with being so. Nothing is more unnerving to the truly conventional than the unashamed misfit!" =E2=80=94 J.K. Rowling= --Apple-Mail-1-994752714 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) iD8DBQFDdX11zOC3TdZ2u5oRAovrAKD+dePwCEqW0AZUV2q8Y9UcS1vy9wCgl9nw oPZKcrAeUzLBKcjW/ThCc7g= =2f0K -----END PGP SIGNATURE----- --Apple-Mail-1-994752714-- From bdesham@gmail.com Sat Nov 12 15:53:03 2005 From: bdesham@gmail.com (Benjamin Esham) Date: Sat, 12 Nov 2005 10:53:03 -0500 Subject: [OTR-users] Re: [OT] Getting people to switch to Jabber (was: Newbie questions about verifying your buddies' fingerprints) In-Reply-To: <9129d8bb0511112205i23ec7d94p41071e70b2c100ee@mail.gmail.com> References: <20051112035357.GG847@smtp.paip.net> <8830734C-5CFF-4392-88F2-00FE679191A9@gmail.com> <9129d8bb0511112205i23ec7d94p41071e70b2c100ee@mail.gmail.com> Message-ID: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1-1032245154 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=WINDOWS-1252; delsp=yes; format=flowed [re-cc'ing to list] On Nov 12, 2005, at 1:05 AM, CLAY SHENTRUP wrote: > if you want to be really elite, get a jabber address and give up on =20= > the > proprietary obsolete protocols. ;) You're talking about AIM, right? I try to use Jabber or Google Talk whenever possible, but as of yet none of my friends have a clue what =20 either of those is. Some kind of grassroots campaign to get people to switch to Gaim and =20 Jabber would be nice; the Firefox people seem to have been quite successful =20 with Spread Firefox. I seem to remember something on Ross Burton's blog =20 about a Jabber advocacy site, but AFAIK nothing ever happened with that. Cheers, --=20 Benjamin D. Esham bdesham@gmail.com | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia =95 http://en.wikipedia.org --Apple-Mail-1-1032245154 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) iD8DBQFDdg/rzOC3TdZ2u5oRAqElAJsFKPMNWx5Sn0c4sQS5iahttTTWTACdGFD1 iHk9mlRVt9P1TMqHcJW+sl8= =DbkJ -----END PGP SIGNATURE----- --Apple-Mail-1-1032245154-- From alaricx@gmail.com Sun Nov 13 21:23:19 2005 From: alaricx@gmail.com (Dustin Howett) Date: Sun, 13 Nov 2005 16:23:19 -0500 Subject: [OTR-users] A source patch.. location? Message-ID: To whom or where would I send a gaim-2.0.0 compatibility patch? My modification causes me no trouble and I seek someone to send it to. From ian@cypherpunks.ca Sun Nov 13 22:24:49 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Sun, 13 Nov 2005 17:24:49 -0500 Subject: [OTR-users] A source patch.. location? In-Reply-To: References: Message-ID: <20051113222449.GL847@smtp.paip.net> On Sun, Nov 13, 2005 at 04:23:19PM -0500, Dustin Howett wrote: > To whom or where would I send a gaim-2.0.0 compatibility patch? My > modification causes me no trouble and I seek someone to send it to. Either the dev team at , or the otr-dev mailing list at . - Ian From CLAY@BROKENLADDER.COM Thu Nov 17 07:34:53 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Wed, 16 Nov 2005 23:34:53 -0800 Subject: [OTR-users] gaim 2.0 Message-ID: <9129d8bb0511162334j22400b7fya9360afc32ac05f4@mail.gmail.com> ------=_Part_2007_17707905.1132212893121 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline anVzdCBhIGhlYWRzIHVwLCBnYWltIDIuMCB3aWxsIGJlIG91dCBpbiBhIGNvdXBsZSBtb250aHMu IHdpbGwgb3RyIGJlCm1vZGlmaWVkIHRvIGNvbXBpbGUgZm9yIGl0PwoKaXQgd2lsbCBzdXBwb3J0 IHNpcC4gYW55IGNoYW5jZSB0aGUgb3RyIGRldnMgbWlnaHQgYmUgdXAgZm9yIGFkZGluZyBzb21l CnNydHAgZ29vZG5lc3MgdG8gdGhhdD8gOikgdGhlIGltcG9ydGFudCB0aGluZyBpcyB0aGF0IHRo ZSBrZXkgZXhjaGFuZ2UgaXMKZG9uZSB0aHJvdWdoIGRpZmZpZS1oZWxsbWFuLCBhbmQgdXNhYmxl IHJlZ2FyZGxlc3Mgb2Ygd2hldGhlciB5b3UndmUKdmVyaWZpZWQgdGhlICJmaW5nZXJwcmludHMi LiBzbyBmYXIgeW91IGhhdmUgdG8gdXNlICJjZXJ0aWZpY2F0ZXMiIGZvciBzcnRwCnNlc3Npb25z IGluIGV2ZXJ5IGNsaWVudCBpJ3ZlIHNlZW4uIHRoaXMgaXMgYmFkIGJhZCBidXNpbmVzcy4KCnRo YW5rcywKY2xheQoKLS0KWEVST1ggQ09MT1IgTEFTRVIgUFJJTlRFUlMgUFJJTlQgQSBTRVJJRVMg T0YgU0VDUkVUIERPVFMKT04gRVZFUlkgUEFHRSBUSEFUIElERU5USUZZIFRIRSBUSU1FIEFORCBE QVRFIFlPVSBQUklOVEVEIEEKRE9DVU1FTlQgUExVUyBUSEUgU0VSSUFMIE5VTUJFUiBPRiBUSEUg UFJJTlRFUiBZT1UgVVNFRC4K ------=_Part_2007_17707905.1132212893121 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline anVzdCBhIGhlYWRzIHVwLCBnYWltIDIuMCB3aWxsIGJlIG91dCBpbiBhIGNvdXBsZSBtb250aHMu Jm5ic3A7IHdpbGwgb3RyIGJlIG1vZGlmaWVkIHRvIGNvbXBpbGUgZm9yIGl0Pzxicj4KPGJyPgpp dCB3aWxsIHN1cHBvcnQgc2lwLiZuYnNwOyBhbnkgY2hhbmNlIHRoZSBvdHIgZGV2cyBtaWdodCBi ZSB1cCBmb3IKYWRkaW5nIHNvbWUgc3J0cCBnb29kbmVzcyB0byB0aGF0PyA6KSZuYnNwOyB0aGUg aW1wb3J0YW50IHRoaW5nIGlzIHRoYXQKdGhlIGtleSBleGNoYW5nZSBpcyBkb25lIHRocm91Z2gg ZGlmZmllLWhlbGxtYW4sIGFuZCB1c2FibGUgcmVnYXJkbGVzcwpvZiB3aGV0aGVyIHlvdSd2ZSB2 ZXJpZmllZCB0aGUgJnF1b3Q7ZmluZ2VycHJpbnRzJnF1b3Q7LiZuYnNwOyBzbyBmYXIgeW91IGhh dmUgdG8KdXNlICZxdW90O2NlcnRpZmljYXRlcyZxdW90OyBmb3Igc3J0cCBzZXNzaW9ucyBpbiBl dmVyeSBjbGllbnQgaSd2ZSBzZWVuLiZuYnNwOwp0aGlzIGlzIGJhZCBiYWQgYnVzaW5lc3MuPGJy Pgo8YnI+CnRoYW5rcyw8YnI+CmNsYXk8YnIgY2xlYXI9ImFsbCI+PGJyPi0tIDxicj5YRVJPWCBD T0xPUiBMQVNFUiBQUklOVEVSUyBQUklOVCBBIFNFUklFUyBPRiBTRUNSRVQgRE9UUzxicj5PTiBF VkVSWSBQQUdFIFRIQVQgSURFTlRJRlkgVEhFIFRJTUUgQU5EIERBVEUgWU9VIFBSSU5URUQgQTxi cj5ET0NVTUVOVCBQTFVTIFRIRSBTRVJJQUwgTlVNQkVSIE9GIFRIRSBQUklOVEVSIFlPVSBVU0VE Lgo= ------=_Part_2007_17707905.1132212893121-- From ian@cypherpunks.ca Thu Nov 17 13:51:57 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 17 Nov 2005 08:51:57 -0500 Subject: [OTR-users] gaim 2.0 In-Reply-To: <9129d8bb0511162334j22400b7fya9360afc32ac05f4@mail.gmail.com> References: <9129d8bb0511162334j22400b7fya9360afc32ac05f4@mail.gmail.com> Message-ID: <20051117135157.GO847@smtp.paip.net> On Wed, Nov 16, 2005 at 11:34:53PM -0800, CLAY SHENTRUP wrote: > just a heads up, gaim 2.0 will be out in a couple months. will otr be > modified to compile for it? It will be. Someone's sent in a patch; we'll be working it out over on the otr-dev list. > it will support sip. any chance the otr devs might be up for adding some > srtp goodness to that? :) the important thing is that the key exchange is > done through diffie-hellman, and usable regardless of whether you've > verified the "fingerprints". so far you have to use "certificates" for srtp > sessions in every client i've seen. this is bad bad business. No promises. ;-) Note that just because a protocol uses Diffie-Hellman doesn't give it all the same privacy properties as OTR. It may not provide the same deniability aspects, and if the D-H is only done once per session, your forward secrecy window may be very large. It may not even provide authentication! [Trillian's SecureIM falls into this category, for example.] If you don't have something like a certificate for the guy at the other end, how do you know it's really him, and not a man-in-the-middle passing your traffic back and forth (reading it along the way)? - Ian From CLAY@BROKENLADDER.COM Thu Nov 17 20:03:54 2005 From: CLAY@BROKENLADDER.COM (CLAY SHENTRUP) Date: Thu, 17 Nov 2005 12:03:54 -0800 Subject: [OTR-users] gaim 2.0 In-Reply-To: <20051117135157.GO847@smtp.paip.net> References: <9129d8bb0511162334j22400b7fya9360afc32ac05f4@mail.gmail.com> <20051117135157.GO847@smtp.paip.net> Message-ID: <9129d8bb0511171203w1696b29ar4cfad1c4777b83fd@mail.gmail.com> ------=_Part_10778_26913824.1132257834214 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline Pgo+IEl0IG1heSBub3QgcHJvdmlkZSB0aGUgc2FtZSBkZW5pYWJpbGl0eSBhc3BlY3RzCgoKdGhl IHRoaXJkIHR5cGUgb2YgbWlrZXkga2V5IGFncmVlbWVudCB1c2VzIHNpZ25lZCBkaWZmaWUtaGVs bG1hbgoiaGFsZi1rZXlzIiwgbGlrZSBvdHIuIHBlcmZlY3QgZm9yd2FyZCBzZWNyZWN5LCBhbmQg cGxhdXNpYmxlIGRlbmlhYmlsaXR5LgpncmFudGVkIHRob3VnaCwgaXQgbWF5IG5vdCB1c2UgYSB0 eXBlIG9mIGFlcyB3aGVyZSBhIHN1YnN0aXR1dGlvbiBpcwpwbGF1c2libGUuIG9mIGNvdXJzZSwg eW91ciB2b2ljZSBpcyBoYXJkIHRvIGRlbnkgYW55d2F5LgoKPiBhbmQgaWYgdGhlIEQtSCBpcyBv bmx5IGRvbmUgb25jZQo+CnBlciBzZXNzaW9uLCB5b3VyIGZvcndhcmQgc2VjcmVjeSB3aW5kb3cg bWF5IGJlIHZlcnkgbGFyZ2UuCgoKcmZjIDM3MTEgPGh0dHA6Ly93d3cubmV0d29ya3NvcmNlcnku Y29tL2VucC9yZmMvcmZjMzcxMS50eHQ+IHN0YXRlczoKClNSVFAgcHJvdmlkZXMgZm9yIHNvbWUg YWRkaXRpb25hbCBmZWF0dXJlcy4gVGhleSBoYXZlIGJlZW4KaW50cm9kdWNlZCB0byBsaWdodGVu IHRoZSBidXJkZW4gb24ga2V5IG1hbmFnZW1lbnQgYW5kIHRvCmZ1cnRoZXIgaW5jcmVhc2Ugc2Vj dXJpdHkuIFRoZXkgaW5jbHVkZToKCiogQSBzaW5nbGUgIm1hc3RlciBrZXkiIGNhbiBwcm92aWRl IGtleWluZyBtYXRlcmlhbCBmb3IKY29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVj dGlvbiwgYm90aCBmb3IgdGhlIFNSVFAgc3RyZWFtCmFuZCB0aGUgY29ycmVzcG9uZGluZyBTUlRD UCBzdHJlYW0uIFRoaXMgaXMgYWNoaWV2ZWQgd2l0aCBhIGtleQpkZXJpdmF0aW9uIGZ1bmN0aW9u IChzZWUgU2VjdGlvbiA0LjMpLCBwcm92aWRpbmcgInNlc3Npb24ga2V5cyIKZm9yIHRoZSByZXNw ZWN0aXZlIHNlY3VyaXR5IHByaW1pdGl2ZSwgc2VjdXJlbHkgZGVyaXZlZCBmcm9tIHRoZQptYXN0 ZXIga2V5LgoKKiBJbiBhZGRpdGlvbiwgdGhlIGtleSBkZXJpdmF0aW9uIGNhbiBiZSBjb25maWd1 cmVkIHRvIHBlcmlvZGljYWxseQpyZWZyZXNoIHRoZSBzZXNzaW9uIGtleXMsIHdoaWNoIGxpbWl0 cyB0aGUgYW1vdW50IG9mIGNpcGhlcnRleHQKcHJvZHVjZWQgYnkgYSBmaXhlZCBrZXksIGF2YWls YWJsZSBmb3IgYW4gYWR2ZXJzYXJ5IHRvCmNyeXB0YW5hbHl6ZS4KCiogIlNhbHRpbmcga2V5cyIg YXJlIHVzZWQgdG8gcHJvdGVjdCBhZ2FpbnN0IHByZS1jb21wdXRhdGlvbiBhbmQKdGltZS1tZW1v cnkgdHJhZGVvZmYgYXR0YWNrcyBbTUYwMF0gW0JTMDBdLgoKSXQgbWF5IG5vdCBldmVuIHByb3Zp ZGUgYXV0aGVudGljYXRpb24hCgoKbWlrZXkgaGFzIHRocmVlIGtleSBhZ3JlZW1lbnQgc2NoZW1l cywgdGhlIHRoaXJkIG9mIHdoaWNoIGlzIHNpbWlsYXIgdG8gT1RSLAppbiB0aGF0IGRpZmZpZS1o ZWxsbWFuIGlzIHVzZWQgd2l0aCBzaWduZWQgImhhbGYga2V5cyIuIHRoZSBmcnVzdHJhdGluZwp0 aGluZyB0aG91Z2gsIGlzIHRoYXQgaXQgdXNlcyAiY2VydGlmaWNhdGVzIiwgd2hpY2ggaGF2ZSB0 byBiZSB2ZXJpZmlhYmxlCndpdGggc29tZSBjZXJ0IGF1dGhvcml0eSBwcmVzdW1hYmx5LiBteSBm ZWVsaW5nIGlzIHRoYXQgaXQgc2hvdWxkIHdvcmsgbGlrZQpPVFIsIHdoZXJlIGV2ZW4gaWYgeW91 IGRvbid0IHZlcmlmeSB0aGUgZmluZ2VycHJpbnQsIGl0IHN0aWxsICJ3b3JrcyIsIGJ1dApqdXN0 IHNheXMgInVuYXV0aGVudGljYXRlZCIuIGFuZCBpZiB5b3UgcHVzaCBzb21lIGJ1dHRvbiBvbiB5 b3VyIHBob25lLCB5b3UKY2FuIHZpZXcgZWl0aGVyIHlvdXIgc2Vzc2lvbiBpZCBoYXNoIG9yIHlv dXIgZmluZ2VycHJpbnQsIGFuZCBzcGVhayBpdCB0bwpzb21lb25lIHdob3NlIHZvaWNlIHlvdSBr bm93LCB0byBydWxlIG91dCBhIG1pbS4gb25lIGZydXN0cmF0aW5nIGZlYXR1cmUgb2YKbWluaXNp cCwgaXMgdGhhdCBpdCB3b24ndCBsZXQgeW91IGNob29zZSB0aGF0IHR5cGUgb2YgbWlrZXkga2V5 IGFncmVlbWVudAp3aXRob3V0IHB1dHRpbmcgaW4gYSBkaWdpdGFsIGNlcnQgZmlyc3QuIGFyZ2do aGhoaC4uCgp0aGlzIGRvY3VtZW50PGh0dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRz L2RyYWZ0LWlldGYtbXNlYy1taWtleS1kaGhtYWMtMTEudHh0PmRlc2NyaWJlcwpzb21lIGFsdGVy YXRpb24gb2YgdGhpcyB0aGlyZCBzY2hlbWUsIHRvIGF2b2lkIHRoZSBuZWVkIGZvciBwdWJsaWMK a2V5cy4gYnV0IGkgZG9uJ3Qga25vdyBob3cgImtleWVkIGhhc2hlcyIgY2FuIHJlbW92ZSB0aGUg bmVlZCBmb3Igc29tZSBzb3J0Cm9mIGRpZ2l0YWwgc2lnbmF0dXJlIG9mIHRoZSBwdWJsaWMgZGgg Z2VuZXJhdG9yICJoYWxmIGtleXMiLgoKb3RyIGlzIGZpbmUgYW5kIGFsbCwgYnV0IHdoZW4gaSBn ZXQgYSBsaXR0bGUgbW9uZXkgc2F2ZWQgdXAsIGFuZCByZWFsbHkgZ2V0Cm15IHVuZGVyZ3JvdW5k IGFudGktZ292ZXJubWVudCByZXNpc3RhbmNlIHVwIGFuZCBydW5uaW5nLCBpIHdhbnQgaGFyZCBj b3JlCmRlbmlhYmxlIGF1dGhlbnRpY2F0ZWQgc2lwIGNhbGxzLiBpIGp1c3Qgd2lzaCB0aGUgcGVv cGxlIGJlaGluZCBzcnRwL21pa2V5CndlcmUgYXMgYnJpbGxpYW50IGFzIHlvdSwgaWFuLgoKYW5k IGJhY2sgdG8gdGhlIGdhaW0gaXNzdWUuIGkgZ3Vlc3MgdGhlaXIgc2lwIHN1cHBvcnQgd2lsbCBq dXN0IGJlIGZvciB0ZXh0CmF0bS4gZnVubnksIHNpbmNlIGluc3RhbnQgbWVzc2FnaW5nIGluIHNp cCBpcyBtb3JlIG9mIGFuIGFmdGVydGhvdWdodCwgYW5kCm5vd2hlcmUgbmVhciBhcyByb2J1c3Qg YXMgamFiYmVyLiB0aGVpciB2b2ljZSBzdXBwb3J0IHdpbGwgYmUgY29tcGF0aWJsZQp3aXRoIGdv b2dsZSB0YWxrLi5hIHByb3ByaWV0YXJ5IHN5c3RlbSB0aGF0IGdvb2dsZSBwcm9taXNlcyB0byBz d2l0Y2ggdG8gc2lwCmV2ZW50dWFsbHkgYW55d2F5LiBhcmdnaGhoaC4KCnRoYW5rcyBmb3IgdGhl IHJlc3BvbnNlLApjbGF5Cg== ------=_Part_10778_26913824.1132257834214 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline PGRpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJib3JkZXItbGVmdDog MXB4IHNvbGlkIHJnYigyMDQsIDIwNCwgMjA0KTsgbWFyZ2luOiAwcHQgMHB0IDBwdCAwLjhleDsg cGFkZGluZy1sZWZ0OiAxZXg7Ij5JdCBtYXkgbm90IHByb3ZpZGUgdGhlIHNhbWUgZGVuaWFiaWxp dHkgYXNwZWN0czwvYmxvY2txdW90ZT48ZGl2Pjxicj50aGUgdGhpcmQgdHlwZSBvZiBtaWtleSBr ZXkgYWdyZWVtZW50IHVzZXMgc2lnbmVkIGRpZmZpZS1oZWxsbWFuICZxdW90O2hhbGYta2V5cyZx dW90OywgbGlrZSBvdHIuJm5ic3A7IHBlcmZlY3QgZm9yd2FyZCBzZWNyZWN5LCBhbmQgcGxhdXNp YmxlIGRlbmlhYmlsaXR5LiZuYnNwOyBncmFudGVkIHRob3VnaCwgaXQgbWF5IG5vdCB1c2UgYSB0 eXBlIG9mIGFlcyB3aGVyZSBhIHN1YnN0aXR1dGlvbiBpcyBwbGF1c2libGUuJm5ic3A7IG9mIGNv dXJzZSwgeW91ciB2b2ljZSBpcyBoYXJkIHRvIGRlbnkgYW55d2F5Lgo8YnI+Jm5ic3A7PC9kaXY+ PGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlci1sZWZ0OiAxcHggc29saWQgcmdiKDIwNCwgMjA0LCAy MDQpOyBtYXJnaW46IDBwdCAwcHQgMHB0IDAuOGV4OyBwYWRkaW5nLWxlZnQ6IDFleDsiIGNsYXNz PSJnbWFpbF9xdW90ZSI+YW5kIGlmIHRoZSBELUggaXMgb25seSBkb25lIG9uY2U8YnI+PC9ibG9j a3F1b3RlPjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9ImJvcmRlci1sZWZ0 OiAxcHggc29saWQgcmdiKDIwNCwgMjA0LCAyMDQpOyBtYXJnaW46IDBwdCAwcHQgMHB0IDAuOGV4 OyBwYWRkaW5nLWxlZnQ6IDFleDsiPgpwZXIgc2Vzc2lvbiwgeW91ciBmb3J3YXJkIHNlY3JlY3kg d2luZG93IG1heSBiZSB2ZXJ5IGxhcmdlLjwvYmxvY2txdW90ZT48ZGl2Pjxicj48YSBocmVmPSJo dHRwOi8vd3d3Lm5ldHdvcmtzb3JjZXJ5LmNvbS9lbnAvcmZjL3JmYzM3MTEudHh0Ij5yZmMgMzcx MTwvYT4gc3RhdGVzOjxicj48YnI+PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6IDQwcHg7Ij48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij4KU1JUUCBwcm92aWRlcyBm b3Igc29tZSBhZGRpdGlvbmFsIGZlYXR1cmVzLiAgVGhleSBoYXZlIGJlZW48L3NwYW4+IDxicj48 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij5pbnRyb2R1Y2VkIHRv IGxpZ2h0ZW4gdGhlIGJ1cmRlbiBvbiBrZXkgbWFuYWdlbWVudCBhbmQgdG88L3NwYW4+IDxicj48 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij4KZnVydGhlciBpbmNy ZWFzZSBzZWN1cml0eS4gIFRoZXkgaW5jbHVkZTo8L3NwYW4+PGJyIHN0eWxlPSJmb250LWZhbWls eTogYXJpYWwsc2Fucy1zZXJpZjsiPjxiciBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMt c2VyaWY7Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij4gICAq ICBBIHNpbmdsZSAmcXVvdDttYXN0ZXIga2V5JnF1b3Q7IGNhbiBwcm92aWRlIGtleWluZyBtYXRl cmlhbCBmb3IKPC9zcGFuPjxiciBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7 Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij4gICAgICBjb25m aWRlbnRpYWxpdHkgYW5kIGludGVncml0eSBwcm90ZWN0aW9uLCBib3RoIGZvciB0aGUgU1JUUCBz dHJlYW08L3NwYW4+PGJyIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWwsc2Fucy1zZXJpZjsiPjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWwsc2Fucy1zZXJpZjsiPgogICAgICBhbmQgdGhl IGNvcnJlc3BvbmRpbmcgU1JUQ1Agc3RyZWFtLiAgVGhpcyBpcyBhY2hpZXZlZCB3aXRoIGEga2V5 PC9zcGFuPjxiciBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij4gICAgICBkZXJpdmF0aW9uIGZ1 bmN0aW9uIChzZWUgU2VjdGlvbiA0LjMpLCBwcm92aWRpbmcgJnF1b3Q7c2Vzc2lvbiBrZXlzJnF1 b3Q7Cjwvc3Bhbj48YnIgc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+PHNw YW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+ICAgICAgZm9yIHRoZSBy ZXNwZWN0aXZlIHNlY3VyaXR5IHByaW1pdGl2ZSwgc2VjdXJlbHkgZGVyaXZlZCBmcm9tIHRoZTwv c3Bhbj48YnIgc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+PHNwYW4gc3R5 bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+CiAgICAgIG1hc3RlciBrZXkuPC9z cGFuPjxiciBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLHNhbnMtc2VyaWY7Ij48YnIgc3R5bGU9 ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5 OiBhcmlhbCxzYW5zLXNlcmlmOyI+ICAgKiAgSW4gYWRkaXRpb24sIHRoZSBrZXkgZGVyaXZhdGlv biBjYW4gYmUgPHNwYW4gc3R5bGU9ImZvbnQtc3R5bGU6IGl0YWxpYzsiPgpjb25maWd1cmVkIHRv IHBlcmlvZGljYWxseTwvc3Bhbj48L3NwYW4+PGJyIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWws c2Fucy1zZXJpZjsgZm9udC1zdHlsZTogaXRhbGljOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5 OiBhcmlhbCxzYW5zLXNlcmlmOyI+PHNwYW4gc3R5bGU9ImZvbnQtc3R5bGU6IGl0YWxpYzsiPiAg ICAgIHJlZnJlc2g8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtd2VpZ2h0OiBib2xkOyI+CiA8L3Nw YW4+dGhlIHNlc3Npb24ga2V5cywgd2hpY2ggbGltaXRzIHRoZSBhbW91bnQgb2YgY2lwaGVydGV4 dDwvc3Bhbj48YnIgc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+PHNwYW4g c3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+ICAgICAgcHJvZHVjZWQgYnkg YSBmaXhlZCBrZXksIGF2YWlsYWJsZSBmb3IgYW4gYWR2ZXJzYXJ5IHRvPC9zcGFuPgo8YnIgc3R5 bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+ICAgICAgY3J5cHRhbmFseXplLjwvc3Bhbj48YnIgc3R5 bGU9ImZvbnQtZmFtaWx5OiBhcmlhbCxzYW5zLXNlcmlmOyI+PGJyIHN0eWxlPSJmb250LWZhbWls eTogYXJpYWwsc2Fucy1zZXJpZjsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWwsc2Fu cy1zZXJpZjsiPgogICAqICAmcXVvdDtTYWx0aW5nIGtleXMmcXVvdDsgYXJlIHVzZWQgdG8gcHJv dGVjdCBhZ2FpbnN0IHByZS1jb21wdXRhdGlvbiBhbmQ8L3NwYW4+PGJyIHN0eWxlPSJmb250LWZh bWlseTogYXJpYWwsc2Fucy1zZXJpZjsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWws c2Fucy1zZXJpZjsiPiAgICAgIHRpbWUtbWVtb3J5IHRyYWRlb2ZmIGF0dGFja3MgW01GMDBdIFtC UzAwXS4KPGJyPjwvc3Bhbj48L2Rpdj48YnI+PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWls X3F1b3RlIiBzdHlsZT0iYm9yZGVyLWxlZnQ6IDFweCBzb2xpZCByZ2IoMjA0LCAyMDQsIDIwNCk7 IG1hcmdpbjogMHB0IDBwdCAwcHQgMC44ZXg7IHBhZGRpbmctbGVmdDogMWV4OyI+SXQgbWF5IG5v dCBldmVuIHByb3ZpZGUgYXV0aGVudGljYXRpb24hPC9ibG9ja3F1b3RlPjxkaXY+PGJyPm1pa2V5 IGhhcyB0aHJlZSBrZXkgYWdyZWVtZW50IHNjaGVtZXMsIHRoZSB0aGlyZCBvZiB3aGljaCBpcyBz aW1pbGFyIHRvIE9UUiwgaW4gdGhhdCBkaWZmaWUtaGVsbG1hbiBpcyB1c2VkIHdpdGggc2lnbmVk ICZxdW90O2hhbGYga2V5cyZxdW90Oy4mbmJzcDsgdGhlIGZydXN0cmF0aW5nIHRoaW5nIHRob3Vn aCwgaXMgdGhhdCBpdCB1c2VzICZxdW90O2NlcnRpZmljYXRlcyZxdW90Oywgd2hpY2ggaGF2ZSB0 byBiZSB2ZXJpZmlhYmxlIHdpdGggc29tZSBjZXJ0IGF1dGhvcml0eSBwcmVzdW1hYmx5LiZuYnNw OyBteSBmZWVsaW5nIGlzIHRoYXQgaXQgc2hvdWxkIHdvcmsgbGlrZSBPVFIsIHdoZXJlIGV2ZW4g aWYgeW91IGRvbid0IHZlcmlmeSB0aGUgZmluZ2VycHJpbnQsIGl0IHN0aWxsICZxdW90O3dvcmtz JnF1b3Q7LCBidXQganVzdCBzYXlzICZxdW90O3VuYXV0aGVudGljYXRlZCZxdW90Oy4mbmJzcDsg YW5kIGlmIHlvdSBwdXNoIHNvbWUgYnV0dG9uIG9uIHlvdXIgcGhvbmUsIHlvdSBjYW4gdmlldyBl aXRoZXIgeW91ciBzZXNzaW9uIGlkIGhhc2ggb3IgeW91ciBmaW5nZXJwcmludCwgYW5kIHNwZWFr IGl0IHRvIHNvbWVvbmUgd2hvc2Ugdm9pY2UgeW91IGtub3csIHRvIHJ1bGUgb3V0IGEgbWltLiZu YnNwOyBvbmUgZnJ1c3RyYXRpbmcgZmVhdHVyZSBvZiBtaW5pc2lwLCBpcyB0aGF0IGl0IHdvbid0 IGxldCB5b3UgY2hvb3NlIHRoYXQgdHlwZSBvZiBtaWtleSBrZXkgYWdyZWVtZW50IHdpdGhvdXQg cHV0dGluZyBpbiBhIGRpZ2l0YWwgY2VydCBmaXJzdC4mbmJzcDsgYXJnZ2hoaGhoLi4KPGJyPjxi cj48YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRm LW1zZWMtbWlrZXktZGhobWFjLTExLnR4dCI+dGhpcyBkb2N1bWVudDwvYT4gZGVzY3JpYmVzIHNv bWUgYWx0ZXJhdGlvbiBvZiB0aGlzIHRoaXJkIHNjaGVtZSwgdG8gYXZvaWQgdGhlIG5lZWQgZm9y IHB1YmxpYyBrZXlzLiZuYnNwOyBidXQgaSBkb24ndCBrbm93IGhvdyAmcXVvdDtrZXllZCBoYXNo ZXMmcXVvdDsgY2FuIHJlbW92ZSB0aGUgbmVlZCBmb3Igc29tZSBzb3J0IG9mIGRpZ2l0YWwgc2ln bmF0dXJlIG9mIHRoZSBwdWJsaWMgZGggZ2VuZXJhdG9yICZxdW90O2hhbGYga2V5cyZxdW90Oy4K PGJyPjxicj5vdHIgaXMgZmluZSBhbmQgYWxsLCBidXQgd2hlbiBpIGdldCBhIGxpdHRsZSBtb25l eSBzYXZlZCB1cCwgYW5kIHJlYWxseSBnZXQgbXkgdW5kZXJncm91bmQgYW50aS1nb3Zlcm5tZW50 IHJlc2lzdGFuY2UgdXAgYW5kIHJ1bm5pbmcsIGkgd2FudCBoYXJkIGNvcmUgZGVuaWFibGUgYXV0 aGVudGljYXRlZCBzaXAgY2FsbHMuJm5ic3A7IGkganVzdCB3aXNoIHRoZSBwZW9wbGUgYmVoaW5k IHNydHAvbWlrZXkgd2VyZSBhcyBicmlsbGlhbnQgYXMgeW91LCBpYW4uCjxicj48YnI+YW5kIGJh Y2sgdG8gdGhlIGdhaW0gaXNzdWUuJm5ic3A7IGkgZ3Vlc3MgdGhlaXIgc2lwIHN1cHBvcnQgd2ls bCBqdXN0IGJlIGZvciB0ZXh0IGF0bS4mbmJzcDsgZnVubnksIHNpbmNlIGluc3RhbnQgbWVzc2Fn aW5nIGluIHNpcCBpcyBtb3JlIG9mIGFuIGFmdGVydGhvdWdodCwgYW5kIG5vd2hlcmUgbmVhciBh cyByb2J1c3QgYXMgamFiYmVyLiZuYnNwOyB0aGVpciB2b2ljZSBzdXBwb3J0IHdpbGwgYmUgY29t cGF0aWJsZSB3aXRoIGdvb2dsZSB0YWxrLi5hIHByb3ByaWV0YXJ5IHN5c3RlbSB0aGF0IGdvb2ds ZSBwcm9taXNlcyB0byBzd2l0Y2ggdG8gc2lwIGV2ZW50dWFsbHkgYW55d2F5LiZuYnNwOyBhcmdn aGhoaC4KPGJyPjxicj50aGFua3MgZm9yIHRoZSByZXNwb25zZSw8YnI+Y2xheTxicj48L2Rpdj48 L2Rpdj4K ------=_Part_10778_26913824.1132257834214-- From gmaxwell@gmail.com Thu Nov 17 20:50:11 2005 From: gmaxwell@gmail.com (Gregory Maxwell) Date: Thu, 17 Nov 2005 15:50:11 -0500 Subject: [OTR-users] Feature request- Revoke identity Message-ID: Perhaps this should have been made at the last protocol change.. but I didn't have cause for it until now... I'd like to be able to select any identity I have the private key for, and hit a revoke and replace button. This will create a new identity, with the old one tagged below it as revoked. Whenever I talk to someone with this new identity it will provide them with proof it knew the old identity's private key. The old identity is then marked in their list as revoked and the software should refuse to communicate over it, even if they have not yet verified the new identity (if an attacker has my key I couldn't be more pleased if he went around using it to revoke it rather than using it to impersonate me!) I thought it might also be useful if users exchanged lists of revokes to insure the revocation gets around quickly, but there are too many privacy problems with that ("oh, you also know user X"). The application is if you are aware that your key has been compromised you can quickly cause other users to stop using it to prevent impersonation. If you actually lose the key then you couldn't create revokes, ... but I guess we can't have everything. I have no clue if this can be easily fit into the current protocol, but I feel confident that we should eventually have the feature. From ian@cypherpunks.ca Thu Nov 17 21:11:35 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 17 Nov 2005 16:11:35 -0500 Subject: [OTR-users] Feature request- Revoke identity In-Reply-To: References: Message-ID: <20051117211135.GP847@smtp.paip.net> On Thu, Nov 17, 2005 at 03:50:11PM -0500, Gregory Maxwell wrote: > I'd like to be able to select any identity I have the private key for, > and hit a revoke and replace button. This will create a new identity, > with the old one tagged below it as revoked. Whenever I talk to > someone with this new identity it will provide them with proof it knew > the old identity's private key. The old identity is then marked in > their list as revoked and the software should refuse to communicate > over it, even if they have not yet verified the new identity (if an > attacker has my key I couldn't be more pleased if he went around using > it to revoke it rather than using it to impersonate me!) Looks pretty easy, but I think the details may be tricky. Just create a revocation cert at the time you create the key. Store it on disk, alongside the key. You should back up the revocation cert list, even if you don't back up your private keys. Then I can send you recovation certs, but you'll need to remember all the ones you ever see, in case I send you "Revoke key A", but you've not (yet) heard of key A, but later on, you do. And will you have to keep sending that revocation forever? Or should there be some negotiation like "Here's a hash of my entire revocation history" / "yup; I've got all that, thanks"? The wire protocol wouldn't have to change for this; a new TLV for "revocation certificates" should work fine. Older clients would just ignore it, which is as good a behaviour as you could expect. Can you file an RFE on sourceforge for this so we don't forget? ;-) The other hard part, of course, is making this make sense to people who have never heard of keys or certificates or encryption. - Ian From paul@cypherpunks.ca Fri Nov 18 07:06:37 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Fri, 18 Nov 2005 08:06:37 +0100 (CET) Subject: [OTR-users] Feature request- Revoke identity In-Reply-To: References: Message-ID: On Thu, 17 Nov 2005, Gregory Maxwell wrote: > someone with this new identity it will provide them with proof it knew > the old identity's private key. The old identity is then marked in > their list as revoked and the software should refuse to communicate > over it, even if they have not yet verified the new identity (if an > attacker has my key I couldn't be more pleased if he went around using > it to revoke it rather than using it to impersonate me!) Uhm, couldn't the attacker do the same with with the stolen key, and inject new false identities to your buddies too? I'd prefer using OTR identities in GPG (sub)keys. There you can do all the revoke/sign/trust relationships already. We just need to bind those to OTR identities (with a special (sub)key combing my GPG entity with my OTR keys and IM identities). This was discussed before a few weeks back, but the developers were eerily quiet and probably don't want to be known as "the people who put all those keys in the PGP keyservers". Paul From ian@cypherpunks.ca Fri Nov 18 11:53:15 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 18 Nov 2005 06:53:15 -0500 Subject: [OTR-users] Feature request- Revoke identity In-Reply-To: References: Message-ID: <20051118115315.GR847@smtp.paip.net> On Fri, Nov 18, 2005 at 08:06:37AM +0100, Paul Wouters wrote: > On Thu, 17 Nov 2005, Gregory Maxwell wrote: > > > someone with this new identity it will provide them with proof it knew > > the old identity's private key. The old identity is then marked in > > their list as revoked and the software should refuse to communicate > > over it, even if they have not yet verified the new identity (if an > > attacker has my key I couldn't be more pleased if he went around using > > it to revoke it rather than using it to impersonate me!) > > Uhm, couldn't the attacker do the same with with the stolen key, and > inject new false identities to your buddies too? But the *new* key wouldn't be trusted. The only way to trust a key (at the moment) is to indicate that you've manually verified it. This is a mechanism only to automatically *untrust* keys. [And it's a little stronger than the "untrust" we've got now, which just marks the key as unverified; it will actually mark it as explicitly untrusted, and refuse to use it.] > I'd prefer using OTR identities in GPG (sub)keys. There you can do all the > revoke/sign/trust relationships already. We just need to bind those to OTR > identities (with a special (sub)key combing my GPG entity with my OTR keys > and IM identities). > > This was discussed before a few weeks back, but the developers were eerily > quiet and probably don't want to be known as "the people who put all those > keys in the PGP keyservers". Actually, I thought it was at least a semi-plausible idea that bears further looking at. But not just right at this moment. You did catch the major tricky bit that most people miss: they say "I want to use my existing GPG key to sign my OTR key and have it checked automatically!" but they neglect to realize that you need some way to know that the GPG key for is allowed to sign for the AIM ID otr4ian. You correctly point out that you should add a subkey to your GPG key with some automatically parsable ID like or something like that. Howver, one of the big downsides of relying on GPG for the revocation/etc. behaviour is that (approximately) no one understands how to use it. OTR is supposed to be usable for anyone that can use, say, gaim. If it's not, that's a potential bug that needs to be fixed, keeping in mind that we need to maintain appropriate security. I'm all for "reducing it to a previously solved problem", as the mathematicians are wont to say. But I don't think that GPG revocation certs are a previously solved problem. - Ian From gdt@ir.bbn.com Tue Nov 22 16:41:15 2005 From: gdt@ir.bbn.com (Greg Troxel) Date: 22 Nov 2005 11:41:15 -0500 Subject: [OTR-users] Feature request- Revoke identity In-Reply-To: <20051118115315.GR847@smtp.paip.net> References: <20051118115315.GR847@smtp.paip.net> Message-ID: I'm all for "reducing it to a previously solved problem", as the mathematicians are wont to say. But I don't think that GPG revocation certs are a previously solved problem. Solved as a protocol issue, but not as in training normal people to do key management. I'd say it's better for OTR to leverage the protocol, and what clue there is, than to roll its own, absent a compelling reason why such a path is broken. -- Greg Troxel From rabbi@abditum.com Tue Nov 22 16:57:25 2005 From: rabbi@abditum.com (Len Sassaman) Date: Tue, 22 Nov 2005 08:57:25 -0800 (PST) Subject: [OTR-users] Feature request- Revoke identity In-Reply-To: References: Message-ID: On Fri, 18 Nov 2005, Paul Wouters wrote: > Uhm, couldn't the attacker do the same with with the stolen key, and > inject new false identities to your buddies too? > > I'd prefer using OTR identities in GPG (sub)keys. There you can do all the > revoke/sign/trust relationships already. We just need to bind those to OTR > identities (with a special (sub)key combing my GPG entity with my OTR keys > and IM identities). If you're going to do this, you probably want to talk to the OpenPGP folks about creating an OTR-specific packet for this purpose. However, I think that tying OTR into OpenPGP is probably somewthing we want to avoid -- the Web of Trust is a pretty bad idea, from a privacy-concern standpoint.