[OTR-dev] Fingerprints?

alex323 alex323 at gmail.com
Tue Jan 18 09:07:06 EST 2005

Who should be responsible for storing fingerprints on the hard drive? 
Should the client do it? Or should the library do it?

Ian Goldberg wrote:

>On Mon, Jan 17, 2005 at 04:42:04PM -0500, alex323 wrote:
>>I'm still kind of lost on what a fingerprint is (in the OTR context) 
>>I've heard of D/RSA fingerprints.. is it the same?
>>Is this a fingerprint?:
>>"Calculate the session id as the SHA-1 hash of the (5+len)-byte value
>>composed of the byte 0x00, followed by the (4+len) bytes of
>>secbytes. When a new private connection is established, display
>>these 8 bytes to the user as two 4-byte (big-endian) values, in C
>>"%08x" format."
>No, that's a session id.  This is a fingerprint:
>  The DSA key given in [the Key Exchange Message] has a "Fingerprint",
>  which is the SHA-1 hash of the portion of the message from the
>  beginning of the "p" field (including the MPI length) to the end of
>  the "e" field.  This fingerprint should be displayed to the recipient
>  so that he may verify the sender's key.
>   - Ian
>OTR-dev mailing list
>OTR-dev at lists.cypherpunks.ca

More information about the OTR-dev mailing list