[OTR-users] Opinions on proposed "unknown fingerprint" behaviour?

Jason Cohen jcohen07 at brandeis.edu
Wed Jun 1 16:11:44 EDT 2005 

Aldert J.B.P. Hazenberg wrote:

>Ian Goldberg wrote:
>  
>
>>Based on some comments here, how about this as a second strawman
>>proposal:
>>
>>Instead of two modes (Private / Not private), there are now three:
>>
>>1. Not private (red)
>>2. Unverified (yellow)
>>3. Private (green)
>>
>>[I'm not sure I like the actual choice of words here; suggestions are of
>>course welcome.]
>>
>>    
>>
>
>The wording as stated above is exactly what I have 'difficulties' with.
>Also the proposed color layout does not make me 'happy'.
>
>I am not a native English speaker but I would prefer it like this :
>
>1. Not private
>2. Private
>3. Verified Private
>
>The rationale is that Unverified does not give a 'safe' feeling while it
>is an established secure OTR connection.
>
>For the color layout I have 2 ideas :
>
>Or :
>
>1. Red
>2. Light Green
>3. Dark Green
>
>Or (I don't know it this is possible but has my preference)
>
>1. Red
>2. Green
>3. Green with an say Black symbol 'in' the green area like a check in a
>   checkbox (like in http://registration-net.com/checkbox.gif)
>
>The rationale is that Yellow does not give a 'safe' feeling while it is
>an established secure OTR connection.
>
>Aldert.
>_______________________________________________
>OTR-users mailing list
>OTR-users at lists.cypherpunks.ca
>http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>
>  
>
Yellow shouldn't give a safe feeling. Encryption without authentication
is useless. While the conversation is protected from sniffing by third
parties, you have no assurance that the individual you are speaking to
is who he says he is. In this case, your only assurance that you are
speaking to the correct individual is the username/password on the IM
account.

If you verify the fingerprint through an out of bounds method of
authentication such as via telephone, security is increased because only
the individual with that key will be able to have a private conversation
with you. Now a person would need both the password to the IM account
and the private key to initiate a conversation.

Jason Cohen

More information about the OTR-users mailing list