[OTR-dev] Peer validity TLV
Ian Goldberg
ian at cypherpunks.ca
Sat Oct 3 10:30:22 EDT 2015
On Sat, Oct 03, 2015 at 07:57:01AM -0400, Greg Troxel wrote:
>
> Ola Bini <list at olabini.se> writes:
>
> > Hi,
> >
> > Lately I've been thinking about how to communicate the decisions OTR is mak=
> > ing in such a way that users can make informed choices based on
> > that. I realized that one thing I've missed when using OTR-enabled clients =
> > is the possibility of knowing whether my peer has validated my
> > key or not.
>
> Two questions:
>
> Why is it useful for you to know if the other side has marked your key
> as valid?
>
> Why is it ok, from a security viewpoint, for them to disclose that to
> you?
>
>
> I don't mean these to be accusatory, but I think rationale for them
> should be part of a proposal to add something.
And, like the somewhat similar question from years ago about "be able to
query the other side to see if they have logging turned on", your peer
can simply lie. What security-relevant action would you be taking based
on this information?
--
Ian Goldberg
Associate Professor and University Research Chair
Cheriton School of Computer Science
University of Waterloo
More information about the OTR-dev
mailing list