[OTR-dev] Flaw in OTR Protocol (with workaround!)

Greg Troxel gdt at ir.bbn.com
Thu Aug 4 09:18:35 EDT 2005 

  If you were to select "End private conversation" from the OTR menu
  before quitting your client, wouldn't something just like this happen?

Does that send a message to the other side to discard the SA?  I want
my client to have an exit hook that sends destroy messages, just as
when one does "/etc/rc.d/racoon stop" on NetBSD the racoon sends
DELETE messages to the other side.   I see the same issue for the
other side with this as what I was proposing.

  I don't think the *format* is the issue: if you're proposing to use your
  *actual gpg key* as the signing key, then you're opening lots of cans of
  worms.

No, I mean to have a gpg key that I use for signing email, and a
separate per-machine otr signing key, much like we do now.

  How do you import the signatures into OTR?  How does someone
  who's never heard of gpg verify them?  Even if they have heard of gpg,
  where is their public key ring?  Where's your secret key ring?  Is it
  even on this particular computer?

I didn't mean to make this gpg-only, so that raw OTR won't work.

  Are we assuming you're using any one particular implementation of
  the openpgp format?

Well, there's really only one Free implementation...  Of course I'm
using gnupg.

  Since when does the PGP WoT not require manual comparisons, anyway?

It does.  But my point is that once I've exchanged fingerprints of
long-term signing keys with someone and cross-certified, then I don't
need to confirm their yearly encryption keys, or their friend's keys,
because I can let pgp's PKI do that for me.

  Could you be more explicit about a user scenario?

Sure.

I have gpg set up, and public/private ring, for normal email use.  I
have cross-signatures with my friends and colleagues, who are, not
super coincidentally, the same people I want to do OTR with.

I run OTR on the same computer, and generate an OTR public/private
keypair.

Somehow, I:
  export my OTR public key to gnupg
  sign my OTR public key with my regular gpg key
  import that signature back to OTR

For machines where I don't have my pgp private keys, perhaps this is a
bit harder, but still not that bad.

My correspondents do likewise

I begin an OTR key exchange

My client sends not only my public key, but also the signatures.  My
client receives the other person's public OTR key and signatures.  My
client asks gnupg (somehow) to verify the signature, and the trust
path from a PGP WoT viewpoint.  If acceptable to PGP (i.e., would be
used to send mail w/o warning), I don't get a popup, or I get
different status.

For this I need the public part of my keyring, but not the private
keyring.


The result is that I can use the long-term signing keys to verify OTR
signing keys.  This has two advantages:

 * it leverages the work I've already done for PGP key exchange (which
   is hard, and we know most people aren't as rigorous about this as
   they perhaps should be)

 * because of the leverage, it makes it far more likely that OTR
   signing keys will be actually verified somehow

-- 
        Greg Troxel <gdt at ir.bbn.com>

More information about the OTR-dev mailing list