[OTR-dev] Key validation via Namecoin

Daniel Kraft d at domob.eu
Sat Jul 27 12:04:03 EDT 2013

Hash: SHA512


I don't know who of you have already heard about Namecoin [1] and
namecoin identities [2]. In short, it is a system where you can
register names (for instance like "id/domob" to get a nickname
"domob"), and once registered, you own the names and no-one can take
them away from you and only you are allowed to store values for them.
The whole system is based on Bitcoin's technology and is completely

[1] https://dot-bit.org/
[2] https://dot-bit.org/Namespace:Identity

This is in my opinion a very good way to exchange public keys. I can
store my public keys in my namecoin identity, and if I meet someone I
can just tell them that I'm "id/domob" (which is easy to remember) and
she can later on read my public GPG or OTR key (fingerprint) from
namecoin and be sure it is mine as long as she remembered my nickname.
As long as I keep the private key used to proof ownership of my name
safe, no-one can manipulate the public key fingerprints there.

For Bitmessage [3] I already implemented a proof-of-concept patch [4],
which integrates namecoin into the Bitmessage UI (just enter a
human-readable name as recipient address and have it translated into
the cryptic BM address stored with the matching namecoin identity). It
seems this was quite well received and is already used by some.

[3] https://bitmessage.org/
[4] https://bitmessage.org/forum/index.php/topic,2563.0.html

Now I'm thinking about how this could be used to verify OTR keys. (In
addition to the already existing options with shared secret /
question-answer.) For the Pidgin pludin, my plan is to have a fourth
option when verifying a key to check it with namecoin. If selected,
the user would have to enter a namecoin identity name he knows is
owned by his contact, and then it would be checked that the
fingerprint is really stored in that name's record.

What do you think about this idea in general? Also, if I wanted to
implement this addition to the OTR plugin, how should that be done? I
think it would be straight-forward to write it as patch to the
plugin's code, but I'm not sure if that's the best way to do (because
it only makes sense if you want to include it in the official OTR
plugin at some point in the future and I'm not sure you would/should).
Is it possible to write it as a separate Pidgin plugin, and have this
plugin alter the UI of the OTR plugin as well as communicate with it
(get the fingerprint to be verified and mark it as trusted)? Sorry if
that's a dumb question, but I don't really know much about how pludins
in Pidgin work (apart from some introductory tutorials which don't
cover more advanced details) ... is it possible for plugins to
interact with each other in this way, and can I "manipulate" the
behaviour of the OTR plugin from another plugin in this way? If this
would at least require some patches to the OTR plugin to allow it to
work, do they have a chance of getting into the "official" code?

Thanks for your input! Yours,

- -- 
OpenPGP: 901C 5216 0537 1D2A F071 5A0E 4D94 6EED 04F7 CF52
- --
Done: Arc-Bar-Cav-Hea-Kni-Ran-Rog-Sam-Tou-Val-Wiz
To go: Mon-Pri
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4112 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130727/c5da0260/attachment.bin>

More information about the OTR-dev mailing list