[OTR-dev] Separate Fingerprint For Each Account?
otr at synx.us.to
otr at synx.us.to
Sat Sep 20 14:47:46 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Donny Viszneki wrote:
> What you seem to want mostly out of this is auto-verification of keys
> where it is applicable.
Heh, it does seem like that. The complaint against my idea seems to be
that we need to verify each key for each account separately. What I want
isn't the applicable auto-verification though, I'm just trying to
describe how such auto-verification is a non-problem. Unless I'm wrong
of course, in which case I'll quietly go back to the drawing board.
What I want is when a powerful attacker (like laziness for example) cuts
me off from my jabber account or my AIM, or renders it so I can no
longer log in somewhere, I want to be able to start up a new account at
a (hopefully) more stable server, and have my identity not require
re-verification. With my idea, there would be no second automatic
verification, because the same key is being used, only the account is
changing.
The distinction is that if you use different keys and somehow try to
coordinate which keys belong to who, you'll get in trouble with the
situation I described. Even if there is an OTR message to verify one key
via another, the key that was verified is now forever inaccessible since
my original account was blocked, and I can't use the same key on a new
account. My new key will be as unverifiable as if I had never talked
with my friends in the first place. I see that as a problem.
When the phone company has to replace the wires it uses, it doesn't
require everyone to start using a new phone number. I don't see why that
must be so with the already self-authorizable OTR.
> (if
> I understand correctly that you mostly want automatic, painless
> verification of multiple accounts belonging to the same user)
You're close, but what I want is for the user to be independant of which
account that user is using. To have one or more identities that use the
accounts, but are not bound by them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjVRVIACgkQB/meY5RuPPT2uwCffrCkegpmeHqETGofRXHo9BgD
wUUAn3MtpYGPUnz7S0brWi54MkfEZjiG
=WqZI
-----END PGP SIGNATURE-----
More information about the OTR-dev
mailing list