[OTR-dev] Allow OTR to use one of my OpenPGP sub/keys?

Ximin Luo infinity0 at gmx.com
Thu Nov 7 10:01:52 EST 2013 

Please fix your mail client to send proper References: headers; it is destroying the continuity of emails in this thread.

On 07/11/13 14:53, cypherpunks.boxy at xoxy.net wrote:
> 
>>> cypherpunks.boxy at xoxy.net wrote:
>>> Any thoughts on allowing OTR to grab a key from an OpenPGP cert?  
> 
>> Ximin Luo <infinity0 at gmx.com> wrote:
>> See this discussion[1] and subsequent messages.
> 
> Thanks, very interesting...
> 
>> TL;DR version is yes you can do it, and some of us want to do it. The
>> least problematic workflow that is most compatible with existing
>> workflows is:
> 
>> - have a tool, e.g. some extension to monkeysphere, that creates an
>> Authentication-use subkey with the critical notation that says
>> something like "for OTR use only"
> 
> Why would it have to be only for OTR use?  In Pidgin, there is also a
> GPG plugin.  Why couldn't we use the same key for that, in case we're
> comfortable with receiving an asynchronous communication?
> 

Security concerns mean that it's wise not to use different keys for different protocols. I don't know what that GPG plugin does, but I am guessing it's not OTR - so unless you can prove it's safe, it is best to assume it's not safe.

Just because you can, doesn't mean you should; semantically it would be similar to using the same key to lock your front door, as well as a random safety deposit box at your bank, plus as a stamp for a wax seal you put on your letters.

Relevant:

http://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig

>> [...]
> 
>> - have yet another tool that scans your otr application for collected
>> public keys, and tries to verify their validity against your PGP trust
>> database, optionally downloading missing keys from keyservers.
> 
> I wonder if this way, things might get a bit too fragmented?  Perhaps a
> key management interface to the chat client, which any encryption plugin
> might use?  (See my other post in this thread:
> http://lists.cypherpunks.ca/pipermail/otr-dev/2013-November/001990.html.)
> 

They can all be integrated into the same UI for sure. What I meant by "separate tools" is that architecturally they are separate concerns and the processes have different lifetimes. The generation/conversion tool would be run once per account (or group of linked accounts), and the auto-sync-verify would be run periodically.

Seriously, have a look at monkeysphere, it is pretty much directly analogous to what it does for SSH.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20131107/cdf63299/attachment.pgp>

More information about the OTR-dev mailing list