[OTR-dev] Multiple accounts

Kurt Roeckx kurt at roeckx.be
Tue Jul 2 09:35:35 EDT 2013


On Mon, Jul 01, 2013 at 11:12:53AM -0400, Hans-Christoph Steiner wrote:
> 
> I'm not an OTR dev, but I spend a lot of time thinking about these issues
> since I'm working on OTR key syncing.  I think the reason you outlined, not
> automatically cryptographically linking accounts is a good one.  I think it
> makes sense to generate a key per account by default to leak as little info as
> possible.  Then focus on making the key verification process as easy as
> possible, and its win/win.  SMP questions are step in that direction, but I
> still think they are too hard to be generally useful.

I think most people don't actually care about that leakage.
I think the default should be to only have 1 key, and people
who really care about it should have the option to use
multiple keys.

But I wonder if you now already support having a contact
(over the same protocol) using multiple keys.  For intance
on a different device.  Would there now be a need to
re-authenticate everytime there is a switch of device?

I wonder if we maybe need something like subkeys, where
each device has it's own subkey.

I'm also wondering about revoking a key.  Is that currently
possible?

I seem to be more and more going to a PGP model, and have
to wonder if it's possible to use my GPG key for OTR.
Unfortuantly OTR seems to be using DSA while people seem
to be moving to RSA.  But it shouldn't be a problem adding
a DSA subkey for OTR.

And if you could use the gpg-agent to do all this, I think
that would be a good thing.


Kurt




More information about the OTR-dev mailing list