[OTR-dev] Multiple accounts

Greg Troxel gdt at ir.bbn.com
Tue Jul 2 10:12:10 EDT 2013


Howard Chu <hyc at symas.com> writes:

> Jonas Wielicki wrote:
>> Adding complications such as key sync, key management, revocation etc.
>> is not what I consider useful for the general case.
>
> Indeed, it completely misses the point. OTR provides repudiable
> communication. Unifying all your keys would weaken or destroy that
> property.

Not true - OTR's signing key to authenticate a session is similar to
OpenPGP.  The difference is that session keys are authenticated, not
messsage content, and repudiability (word?) is achieved by using
symmetric MACs and disclosiing them.   So strengthening the
authentication key into a real PKI  of some sort would not break the
repudiability property.

I'd like to see a way to:

  1) sign an OTR signing key with an OpenPGP key

  2) use OpenPGP to verify a peer's OTR signing key

  3) (perhaps) send the signature from 1 via OTR

with all of this (at least 1 and 3) being optional, with no change to
behavior if not done.

Checking keys is hard, and sharing that work among multiple channels
seems like a win.




More information about the OTR-dev mailing list