[OTR-dev] libotr silent api change / bug wrt smp
Kjell Braden
fnord at pentabarf.de
Sun Oct 3 10:10:39 EDT 2010
On 03.10.2010 15:01, Sven Moritz Hallberg wrote:
> Hi all,
>
> In the process of updating OTR support for the BitlBee[1] IM client, I've
> stumbled across this:
>
> When using SMP with the new "question and answer" style (initiated via SMP1Q),
> libotr did not set the active fingerprint's trust string after receiving SMP3
> (i.e. in the role of the *respondent* to an smp "challenge").
>
Hi Sven,
that behavior is correct. The "question and
answer"-style-authentication is not supposed to set the trust level on
both sides, but rather on the side that posed the question. If Alice
sent Bob the Question, Bob will receive SMP1Q and SMP3. After SMP3 Bob
knows if the his answer was correct, and he should be offered to verify
Alice now by asking her a question himself.
Your handling of the CHEATED case sounds correct to me, as it's the
same thing the "reference implementation" (pidgin-otr) does.
HTH
--
Kjell
More information about the OTR-dev
mailing list