[OTR-dev] Key validation via Namecoin

Daniel Kraft d at domob.eu
Sat Jul 27 12:04:03 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi!

I don't know who of you have already heard about Namecoin [1] and
namecoin identities [2]. In short, it is a system where you can
register names (for instance like "id/domob" to get a nickname
"domob"), and once registered, you own the names and no-one can take
them away from you and only you are allowed to store values for them.
The whole system is based on Bitcoin's technology and is completely
decentralised.

[1] https://dot-bit.org/
[2] https://dot-bit.org/Namespace:Identity

This is in my opinion a very good way to exchange public keys. I can
store my public keys in my namecoin identity, and if I meet someone I
can just tell them that I'm "id/domob" (which is easy to remember) and
she can later on read my public GPG or OTR key (fingerprint) from
namecoin and be sure it is mine as long as she remembered my nickname.
As long as I keep the private key used to proof ownership of my name
safe, no-one can manipulate the public key fingerprints there.

For Bitmessage [3] I already implemented a proof-of-concept patch [4],
which integrates namecoin into the Bitmessage UI (just enter a
human-readable name as recipient address and have it translated into
the cryptic BM address stored with the matching namecoin identity). It
seems this was quite well received and is already used by some.

[3] https://bitmessage.org/
[4] https://bitmessage.org/forum/index.php/topic,2563.0.html

Now I'm thinking about how this could be used to verify OTR keys. (In
addition to the already existing options with shared secret /
question-answer.) For the Pidgin pludin, my plan is to have a fourth
option when verifying a key to check it with namecoin. If selected,
the user would have to enter a namecoin identity name he knows is
owned by his contact, and then it would be checked that the
fingerprint is really stored in that name's record.

What do you think about this idea in general? Also, if I wanted to
implement this addition to the OTR plugin, how should that be done? I
think it would be straight-forward to write it as patch to the
plugin's code, but I'm not sure if that's the best way to do (because
it only makes sense if you want to include it in the official OTR
plugin at some point in the future and I'm not sure you would/should).
Is it possible to write it as a separate Pidgin plugin, and have this
plugin alter the UI of the OTR plugin as well as communicate with it
(get the fingerprint to be verified and mark it as trusted)? Sorry if
that's a dumb question, but I don't really know much about how pludins
in Pidgin work (apart from some introductory tutorials which don't
cover more advanced details) ... is it possible for plugins to
interact with each other in this way, and can I "manipulate" the
behaviour of the OTR plugin from another plugin in this way? If this
would at least require some patches to the OTR plugin to allow it to
work, do they have a chance of getting into the "official" code?

Thanks for your input! Yours,
Daniel

- -- 
http://www.domob.eu/
OpenPGP: 901C 5216 0537 1D2A F071 5A0E 4D94 6EED 04F7 CF52
- --
Done: Arc-Bar-Cav-Hea-Kni-Ran-Rog-Sam-Tou-Val-Wiz
To go: Mon-Pri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQJ8BAEBCgBmBQJR8+9zXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MDFDNTIxNjA1MzcxRDJBRjA3MTVBMEU0
RDk0NkVFRDA0RjdDRjUyAAoJEE2Ubu0E989StjwP/34CDkG8m0fJrQCX5HJ1s1bF
00LbFjAWup7R90H3FE92SI6Oj4YsxSc2AafjHwuYSbmDrHhSr2Pfc3V93Ra2MuLn
qwrGtmcTnD+XAR7SvOPhoCoTZVCzm8HasnmkvV0dLvYGbdJ4y524SZ+b/y96id/r
xUc2dVWdYaXDOv56rMyELxVftiK/vaJhNLBbFi0gW9ykjKV/XyhU5Grn0VzGOVXb
TJgWpxzdRbocMMAEu8JDVTf6I99s7p1cJQFQ72Kae9aMOhjm0GB9vBca15QvzA+H
StscrevrMDfKdfj1/WaZ9bHaXK+y7LrDVUHndC9NDDbRtRwDtii5qIrd28N/asyG
U4m6IpQyHscv5UApQ69DcKOkqZ8BOb5NEO4JZzVPJSTwm4o/atMqSn9zDhfLQW0O
f0bZuWPK1QwqTZk4pZrz1/5sNPYw/FS2ZibIM2cDp3n4duUhQMj44DpBpTsO3OJb
+ZLNdIx8QVVsvH5VNC3XVsWSWSedYHJTL/M3PMhyJVNeFAXcnf9SFx/OZa7wyWw7
4dc0cEzAFye845gCT40XKZFW6pqw4X3xDn7MWvGAPo3KuGqAJm0L8mYELfW1NnKZ
pznWcSqSPcagF0MqB0W6BJzVvKx96YUFU3sNbOvt0kowLTakgywQmflmhGJB1mpb
A91LQFO2NUcmyllnGeCO
=WjkX
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4112 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130727/c5da0260/attachment.bin>


More information about the OTR-dev mailing list