[OTR-dev] Separate Fingerprint For Each Account?

[otr at synx.us.to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Goldberg wrote:
> We're in complete agreement.  OTR is agnostic on the whole identity
> issue; it's up to the application to convey this notion of identity to
> the user, and none of them does such a thing.

If OTR were agnostic on the whole identity issue, why does it generate
one key for each "identity" account? I mean, if it were agnostic it
would generate one key, and not record which account that key was used
on, using the key on all accounts. It would leave it up to the client to
"ensure" that someone's identity is sound. Of course the clients cannot
do that perfectly, which might be an argument for having OTR be slightly
less agnostic.

In the OTR API, there is a structure called "context". It has as its
members "username" and "accountname". These are used to determine which
context to encrypt with. I really can't understand how that would be
agnostic of accounts, since they're so obviously required to get a
context in the first place.

My idea was to modify the plugin so it used some dummy for account name,
and another dummy for username, and used those dummies to get a context
for every IM account. I would question the utility of having those
fields to lookup with in the first place, but it should be possible to
fill them with an abstract identity instead of a physical IM account.

Instead of keeping track of which key to use for which of your accounts
I'd have to add something keeping track of which key your buddies are
using, and maybe pop up some warnings if that key changes in suspicious
ways. I'm thinking with the pidgin plugin, but the proxy could also pop
up GUI windows if it had to.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjXIQ8ACgkQB/meY5RuPPT8nQCaA8PYGZh7wb0lmxdh1Ar2XI6x
lBkAoMfiIwmECW2DLSoMjva50q3UowRg
=PgPf
-----END PGP SIGNATURE-----