[OTR-dev] Allow OTR to use one of my OpenPGP sub/keys?

Ximin Luo infinity0 at gmx.com
Thu Nov 7 14:55:45 EST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/11/13 15:01, Ximin Luo wrote:
>> 
>>> - have a tool, e.g. some extension to monkeysphere, that creates an 
>>> Authentication-use subkey with the critical notation that says 
>>> something like "for OTR use only"
>> 
>> Why would it have to be only for OTR use?  In Pidgin, there is also a 
>> GPG plugin.  Why couldn't we use the same key for that, in case we're 
>> comfortable with receiving an asynchronous communication?
>> 
> 
> Security concerns mean that it's wise not to use different keys for
> different protocols. I don't know what that GPG plugin does, but I am
> guessing it's not OTR - so unless you can prove it's safe, it is best to
> assume it's not safe.
> 

Sorry, typo; "wise to use different", or "wise not to use same".

> Just because you can, doesn't mean you should; semantically it would be
> similar to using the same key to lock your front door, as well as a random
> safety deposit box at your bank, plus as a stamp for a wax seal you put on
> your letters.
> 
> Relevant:
> 
> http://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig
>
> 
- -- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCAAGBQJSe/A8AAoJEIYN7zuPZQt576kQAKqEfRWTlptSyslM10A9cFOn
/a4F29JOtX2W5mnPHaBxuLPndAvU8NMCshhohAD/UtGFVfSqMUTFgvENDXbydhwo
v52gYtSt44dc51XQfSv597Cc4fUQ7IKKrDDTZJq5+ii23SqxZ4G+sC9KCZawHENa
pkSiUENypJ3luqPG1ikgKs8dNBm6vp4HRuHz+pLF2GdlUo+rgub4NNm+U4k4Qe4P
RPhxOVHoijKUn/WS4LD2L6CvoUFBVKLv5B/l1Y1TVV8ES8gKyL1bwU+7F4T3LPRN
yO15e4A0svBkKAc6c3clagwpE9SlVsBIjz5Mbs1n65inHIUbnD424eCT2QmrB8AL
OObp33Z9fwNdKfUE+hjBZwgaLUcxxF563lqesohy9q37cvR8KbM/pnjAAvMCwUUQ
fUDRYS5X32r3DDUUL70qHHkhyWRAimp+mmqdayMOi6YcqoHsGmiv7ZkaK2aJGK/E
KXsUrMlqyvryEHBThKdQZ9Q44Sbn4ad7qq2+bVJ1gG84BYILJp8KXOaIgvqKKaZl
khmL2a4mjagUag2hVmeUceJwyPBwB5j3awHrcGdnMEbel099rc9iawIengJoSYGK
X79uOhYoWaw9n90KRWF0bQodWf0zrBF1XyS/puQQnasU2JOOVlz6D6/3gXa2408F
0/BsuaDJlB53wgQlc/fJ
=tZUr
-----END PGP SIGNATURE-----

More information about the OTR-dev mailing list