[OTR-dev] Peer validity TLV
Ola Bini
list at olabini.se
Fri Oct 2 20:16:49 EDT 2015
Hi,
Lately I've been thinking about how to communicate the decisions OTR is mak=
ing in such a way that users can make informed choices based on
that. I realized that one thing I've missed when using OTR-enabled clients =
is the possibility of knowing whether my peer has validated my
key or not.
I would like to propose a new experimental TLV that would roughly work like=
this:
It will be automatically sent in two cases:
- after the initial AKE has finished
- when any of the information conveyed in the TLV has changed
The information in the TLV would simply be two values. The first one is a b=
oolean that says whether my OTR instance has authenticated the
other persons fingerprint or concluded an SMP successfully. The second valu=
e is a value that can range from 0 to 100 and is something I call
a "security rating". Basically, this rating is an opaque judgment of how se=
cure the connection is from my perspective. It can take into
account whether I'm using TLS to talk to the XMPP server, whether Tor is us=
ed, whether logs are turned off, etc. The idea is that my client
can give the other client a rough indication of how secure we think the sit=
uation is. This second value is vaguely specified on purpose,
since it will be always be subjective to the local peers situation.
So - is this proposal completely stupid, or something others think would be=
valuable as well?
Thoughts?
--
Ola Bini (https://olabini.se)
"Yields falsehood when quined" yields falsehood when quined.
More information about the OTR-dev
mailing list