[OTR-users] Opinions on proposed "unknown fingerprint" behaviour?

Greg Troxel gdt at ir.bbn.com
Thu Jun 2 08:41:24 EDT 2005 

  1. Not private (red)
  2. Unverified (yellow)
  3. Private (green)

I share the concern about wording, but I object to the notion that 2
(doing OTR, unverified fingerprint) is a shade of green.

Color is awkward due to b&w displays (I'll need to fire up my
Sparcstation ELC which is 1152x900x 1bit...), and accessibility
issues.  So perceiving of color should not be required for the UI to
function - I think you are proposing having text and color
simultaneously so it works without color.

How about

  1. Unencrypted
  2. Encrypted/unverified
  3. Private

I think the color choices are fine.  Besides the stoplight (and I see
the concern about the expectation of going from yellow to red), other
well-known color codes are Cooper's color code of awarenessand of
course in the US the DHS terrorist threat alert level.  So the
intended connotations of red = not ok, yellow = iffy, green = ok seem
fine.        

In practice, I suspect people accept the fingerprint once without
really checking, but after using it for a while the odds that Mallory
could be MITMing every single time seem lower (but I admit that's
fuzzy thinking).  This is the ssh theory, and the repeat MITM attack
seems not prevalent.

It would be nice to be able to export/import keys in openpgp format so
one could leverage the pgp WoT; my experience is that people are
better about checking PGP fingerprints than OTR fingerprints.

  New fingerprints would cause gaim to automatically go from red to
  yellow.  It will display a dialog saying that a new fingerprint was
  presented for the given user.

I think you mean 'presentation of a new OTR signing key, followed by
key agreement authenticated by that (untrustworthy) key'.  Pedantic,
perhaps, but this is confusing enough.

For expert users, the new key dialog should have three choices

  Discard Key
  Keep Key as Unconfirmed
  Confirm Key

probably keep as unconfirmed should be the default.
For non-experts, perhaps just don't present dialog.

  This dialog also has a mechanism for indicating that you have verified
  the fingerprint (and, I suppose, a way to undo that indication).

Absolutely: a way to undo it, and to remove it.  Basically the same
three choices as the initial dialog.


-- 
        Greg Troxel <gdt at ir.bbn.com>

More information about the OTR-users mailing list