[OTR-dev] SESS_DIR_LOW vs SESS_DIR_HIGH?
Ian Goldberg
ian at cypherpunks.ca
Tue Jan 25 17:49:39 EST 2005
On Tue, Jan 25, 2005 at 01:48:54PM -0600, Evan Schoenberg wrote:
> What do SESS_DIR_LOW and SESS_DIR_HIGH mean? I see that one is
> bolded and one is not... is one your Secure ID and the other the remote
> one?
The secure session id is shared between the two of you. One half is
bold; the intent is that if you choose to verify the session id by some
out-of-band means (phone, or whatever), you each read your bold part to
the other guy.
gaim-otr's README says:
The "secure id" is another way to verify that you're actually
chatting with your buddy, and not some eavesdropper
("man-in-the-middle" is the technical term). Phone him up, and ask
him to read his bold part, and read yours back to him. If they're
both correct, you're assured that there's no one intercepting your
private conversation. This is secure, even if you know that one or
both of your private keys have been compromised.
> Also, do y'all think it is strictly necessary to always immediately
> display session IDs when connected, or would it be reasonable to have a
> "Show Details" which reveals this information if it is desired?
That'd be fine, I think.
- Ian
More information about the OTR-dev
mailing list