[OTR-dev] Re: Backwards compatability
Ian Goldberg
ian at cypherpunks.ca
Tue May 27 10:53:54 EDT 2008
On Tue, May 27, 2008 at 04:38:25PM +0200, Kjell Braden wrote:
> > Others:
> >
> > Please try out the new code and tell me if something goes horribly
> > wrong (doesn't compile on your platform, doesn't work in some
> > weird
> > case, etc.).
> >
> >
> Hi Ian,
>
> I've not yet tested your code but had a look at the handling of the
> SMP1Q tlv. If I read the source code in the svn correctly, does this
> mean that a 3.1.0 user who receives an SMP1Q TLV sees nothing, as he
> doesn't know it yet? If so, I think it would be more sensible to just
> re-use the old SMP1 TLV and add the data section question there, which
> would result in the same thing for two 3.2.0 users, but 3.1.0 would not
> see the question (but they would still see the initial SMP request!).
SMP1Q has slightly different semantics from SMP1, so we intentionally
made it a different TLV type. If you pose a question to your buddy Bob
(who answers it correctly), you will authenticate Bob, but Bob will not
automatically authenticate you. If Bob is running 3.1.0, which assumes
a preshared secret (which does indeed imply mutual authentication), we
don't want his code to "fall back" to authenticating you when it
shouldn't, and also, he won't see the question, which will be a subtler
problem more likely to be overlooked than the authentication window not
coming up at all.
- Ian
More information about the OTR-dev
mailing list