[OTR-dev] Separate Fingerprint For Each Account?

Ian Goldberg ian at cypherpunks.ca
Sat Sep 20 15:07:34 EDT 2008


On Sat, Sep 20, 2008 at 11:47:46AM -0700, otr at synx.us.to wrote:
> Donny Viszneki wrote:
> > What you seem to want mostly out of this is auto-verification of keys
> > where it is applicable.
> 
> Heh, it does seem like that. The complaint against my idea seems to be
> that we need to verify each key for each account separately. What I want
> isn't the applicable auto-verification though, I'm just trying to
> describe how such auto-verification is a non-problem. Unless I'm wrong
> of course, in which case I'll quietly go back to the drawing board.
> 
> What I want is when a powerful attacker (like laziness for example) cuts
> me off from my jabber account or my AIM, or renders it so I can no
> longer log in somewhere, I want to be able to start up a new account at
> a (hopefully) more stable server, and have my identity not require
> re-verification. With my idea, there would be no second automatic
> verification, because the same key is being used, only the account is
> changing.

That's great, so long as your IM client has the concept of "all these
account's I've seen are really the same person".  Then if it sees a new
IM account using the same OTR key, it can automatically add that new
account to the bunch.

But IM clients (that I've seen, anyway) don't have that concept.  All
they see are account names.  So if I've previously authenticated you as
"Bob", and your key suddenly shows up as "alice at jabber.de", how does my
IM client let me know that "alice at jabber.de" is really the person I
previously knew as "Bob", and not the person I know as
"alice at jabber.ca"?  Worse, what if I already know (and have verified)
the _real_ alice at jabber.de, and you're spoofing her account?

> The distinction is that if you use different keys and somehow try to
> coordinate which keys belong to who, you'll get in trouble with the
> situation I described.

Remember again that almost every OTR user has no idea what a key is, and
so doesn't in fact coordinate which key belongs to who.

> When the phone company has to replace the wires it uses, it doesn't
> require everyone to start using a new phone number. I don't see why that
> must be so with the already self-authorizable OTR.

That's not a good analogy.  A better one is that a few years back,
before number portability, if you switched cell phone carriers, your
number would indeed change.  Then you had to let your friends know your
new number.

IM account names are like non-portable phone numbers: they're tied to
the underlying architecture.  If we had a higher-level concept of
identity, that would be more like modern portable phone numbers.

   - Ian



More information about the OTR-dev mailing list