[OTR-dev] Allow OTR to use one of my OpenPGP sub/keys?

cypherpunks.boxy at xoxy.net cypherpunks.boxy at xoxy.net
Thu Nov 7 05:28:12 EST 2013 

> Any thoughts on allowing OTR to grab a key from an OpenPGP cert?  

I had brought this question up on the pidgin ticket system before it
dawned on me that it was more associated with OTR; but then I had second
thoughts ...  I'm posting here a part of my post over there, as I think
it's relevant for broader discussion.  Perhaps there is a way around the
issues I'm bringing up?  A key management plugin, perhaps, that
encryption plugins depend on??

https://developer.pidgin.im/ticket/15805#comment:3

   ... I must say that even dealing with it in OTR leaves a problem. We
   have three encryption plugins: OTR, Pidgin-GPG and
   Pidgin-Encryption. The latter two are quite different from OTR,
   giving us the ability to leave asynchronous messages. So we need at
   least one of them. It would be annoying to have each plugin recreate
   the ability to access our OpenPGP cert. Besides the extra coding, if
   I use some key for OTR and use the same key for Pidgin-GPG (both, on
   the same account), I have to import it twice. Importing it twice,
   means my buddy has to verify it twice, once for each plugin, even if
   it's the same account.

   It seems to me what we really need is: 

   (1, primary & less complicated) some kind of capacity in pidgin to
   associate a key with a specific account.

   (1.1) Instead of each plugin generating their own keys, we need one
   key generating mechanism.

   (1.2) Instead of each plugin importing OpenPGP keys, we need one key
   import mechanism.

   (2, secondary and slightly more complicated) When I verify my buddy's
   key, I want to be verifying it in an account, rather than once in OTR
   and etc for the other encryption plugins. So my buddy's keys should
   also be associated with the account, rather than the plugin.

   Verification is like signing a key, so what this would provide is
   effectively one keychain per account.

   (3, tertiary and difficult) It would be _really_ nice if I could
   import those keys in my gpg keyring whose ID's are associated with an
   account in my contacts list. Then, if a particular key presented by
   my buddy has a trust path in my gpg keyring, it would be marked in
   pidgin as verified for that account.

   This is pointing to some element of key management in Pidgin -
   somewhere between simple & more elaborate - rather than leaving it to
   the plugins.

/DA

More information about the OTR-dev mailing list