[OTR-dev] Allow OTR to use one of my OpenPGP sub/keys?
Ximin Luo
infinity0 at gmx.com
Thu Nov 7 10:01:52 EST 2013
Please fix your mail client to send proper References: headers; it is destroying the continuity of emails in this thread.
On 07/11/13 14:53, cypherpunks.boxy at xoxy.net wrote:
>
>>> cypherpunks.boxy at xoxy.net wrote:
>>> Any thoughts on allowing OTR to grab a key from an OpenPGP cert?
>
>> Ximin Luo <infinity0 at gmx.com> wrote:
>> See this discussion[1] and subsequent messages.
>
> Thanks, very interesting...
>
>> TL;DR version is yes you can do it, and some of us want to do it. The
>> least problematic workflow that is most compatible with existing
>> workflows is:
>
>> - have a tool, e.g. some extension to monkeysphere, that creates an
>> Authentication-use subkey with the critical notation that says
>> something like "for OTR use only"
>
> Why would it have to be only for OTR use? In Pidgin, there is also a
> GPG plugin. Why couldn't we use the same key for that, in case we're
> comfortable with receiving an asynchronous communication?
>
Security concerns mean that it's wise not to use different keys for different protocols. I don't know what that GPG plugin does, but I am guessing it's not OTR - so unless you can prove it's safe, it is best to assume it's not safe.
Just because you can, doesn't mean you should; semantically it would be similar to using the same key to lock your front door, as well as a random safety deposit box at your bank, plus as a stamp for a wax seal you put on your letters.
Relevant:
http://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig
>> [...]
>
>> - have yet another tool that scans your otr application for collected
>> public keys, and tries to verify their validity against your PGP trust
>> database, optionally downloading missing keys from keyservers.
>
> I wonder if this way, things might get a bit too fragmented? Perhaps a
> key management interface to the chat client, which any encryption plugin
> might use? (See my other post in this thread:
> http://lists.cypherpunks.ca/pipermail/otr-dev/2013-November/001990.html.)
>
They can all be integrated into the same UI for sure. What I meant by "separate tools" is that architecturally they are separate concerns and the processes have different lifetimes. The generation/conversion tool would be run once per account (or group of linked accounts), and the auto-sync-verify would be run periodically.
Seriously, have a look at monkeysphere, it is pretty much directly analogous to what it does for SSH.
X
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20131107/cdf63299/attachment.pgp>
More information about the OTR-dev
mailing list