[OTR-dev] OPPORTUNISTIC: Problems with not using OTR when both sides have an OTR plugin
Ian Goldberg
ian at cypherpunks.ca
Fri Jan 28 09:09:58 EST 2005
On Thu, Jan 27, 2005 at 04:20:55PM -0600, Evan Schoenberg wrote:
> Opportunistic is overzealous right now, I think, or I've got something
> configured wrong.
>
> 10 Bob and Jane both have OTR. Bob messages Jane. His OTR is
> immediately active, since the other side has it. Jane refuses Bob's
> fingerprint.. she's just not ready for that kind of commitment.
>
> 20 Bob's client thinks he has a secure connection. Messages he sends
> are encrypted.
> 30 Jane's client knows she has an unencrypted connection. She sends in
> plaintext, and can't read Bob's messages.
>
> 40 Bob is told that he is sending encrypted messages, so he toggles the
> "end private chat" and sends a message. It goes through in
> plaintext... Jane is asked to accept his fingerprint, she clicks No
> again. GOTO 20
>
> Does this describe expected behavior? I'm not sure if the proposed
> policy system solves for this cleanly or not.
Yes, that's the expected behaviour. Bob's client is trying very hard to
start an OTR session with Jane's client, which does in fact speak OTR.
The fact that Jane wants OTR installed, but doesn't want to OTR with Bob
in particular, is exactly the kind of thing the per-buddy policy system
will handle. (Jane sets her OTR policy for Bob to NEVER, or Bob can set
his for Jane to MANUAL.)
- Ian
More information about the OTR-dev
mailing list