[OTR-dev] Flaw in OTR Protocol (with workaround!)

Kat Hanna kat at paip.net
Thu Aug 4 09:54:27 EDT 2005


On Thu, 4 Aug 2005, Ian Goldberg wrote:

> Surely you don't want the gpg signature to be transmitted on *every*
> key exchange?  You only need to send it once.  The CVS version has an
> explicit step for "verify fingerprint"; *technically*, a plausible thing
> to do would be to allow the user to choose between
>
> 1) manual fingerprint comparison with an out-of-band source
>    [the only method currently supported]
> 2) preshared secret
> 3) gpg
> 4) fleem-based protocols, etc.
>
> But someone will have to come up with a UI for this which is highly
> non-sucky.

This UI point is hugely important.  Right now, people who've never used
an encryption app before report painless setup and unconfused use.  As
we add in features, we have to keep these people in mind.  Let's not let
this turn into yet another difficult-to-use (for most people) security
system.

 -Kat



More information about the OTR-dev mailing list