[OTR-dev] Peer validity TLV

Michael McConville mmcconville at mykolab.com
Fri Oct 2 23:41:33 EDT 2015


Ola Bini wrote:
> The information in the TLV would simply be two values. The first one
> is a boolean that says whether my OTR instance has authenticated the
> other persons fingerprint or concluded an SMP successfully. The second
> value is a value that can range from 0 to 100 and is something I call
> a "security rating". Basically, this rating is an opaque judgment of
> how secure the connection is from my perspective. It can take into
> account whether I'm using TLS to talk to the XMPP server, whether Tor
> is used, whether logs are turned off, etc. The idea is that my client
> can give the other client a rough indication of how secure we think
> the situation is. This second value is vaguely specified on purpose,
> since it will be always be subjective to the local peers situation.

Heuristics shouldn't be a part of security protocols, IMO. In practice,
they are almost invariably not implemented by clients and generally
don't actually prevent attacks. I haven't had time to carefully read the
rest of this yet, but that part stood out to me.


More information about the OTR-dev mailing list