[OTR-users] Opinions on proposed "unknown fingerprint" behaviour?

Ian Goldberg ian at cypherpunks.ca
Thu Jun 2 09:27:28 EDT 2005 

On Thu, Jun 02, 2005 at 08:41:24AM -0400, Greg Troxel wrote:
>   1. Not private (red)
>   2. Unverified (yellow)
>   3. Private (green)
> 
> I share the concern about wording, but I object to the notion that 2
> (doing OTR, unverified fingerprint) is a shade of green.
> 
> Color is awkward due to b&w displays (I'll need to fire up my
> Sparcstation ELC which is 1152x900x 1bit...), and accessibility
> issues.  So perceiving of color should not be required for the UI to
> function - I think you are proposing having text and color
> simultaneously so it works without color.

Oh, for sure.  I was thinking the colour could also have a shape,
perhaps reminiscent of traffic *signs*: red octagon, yellow triangle,
green circle.  And then the text underneath it.  We'd do away with the
"OTR:" text (maybe incorporating it into the image), which would leave
us some room for text.

> How about
> 
>   1. Unencrypted
>   2. Encrypted/unverified
>   3. Private

I don't think "Encrypted/unverified" will *fit*, unfortunately.

> It would be nice to be able to export/import keys in openpgp format so
> one could leverage the pgp WoT; my experience is that people are
> better about checking PGP fingerprints than OTR fingerprints.

PKIs can always leverage each other: see for example,
http://r6.ca/russellotr.asc .  So _one_ of the ways you can verify an OTR
fingerprint is to use the PGP WoT.

>   New fingerprints would cause gaim to automatically go from red to
>   yellow.  It will display a dialog saying that a new fingerprint was
>   presented for the given user.
> 
> I think you mean 'presentation of a new OTR signing key, followed by
> key agreement authenticated by that (untrustworthy) key'.  Pedantic,
> perhaps, but this is confusing enough.

I'm not sure I see your distinction.  The Key Exchange Message packet
contains *both* the presentation of the DSA key *and* the DH key
agreement, sign with the DSA key.  If you receive one of these
(well-formed; is that the distinction you were making?) packets,
and it contains a DSA key you haven't seen before, gaim will let you
know, but switch to yellow.

   - Ian

More information about the OTR-users mailing list