[OTR-users] Opinions on proposed "unknown fingerprint" behaviour?

Ian Goldberg ian at cypherpunks.ca
Fri May 20 11:58:09 EDT 2005 

On Fri, May 20, 2005 at 10:51:26AM -0400, Jason Cohen wrote:
> I like the idea of having the "private connection established" dialog
> box as an in-conversation message with the abiliity to get the session
> id and fingerprint by clicking the OTR Private button. However, I think
> there should still be an option to keep the old system in place with
> regard to accepting new fingerprints. The system is only secure if the
> fingerprint is authenticated out of bounds. Otherwise, you don't know
> who you're talking to. I understand that some users might not want to do
> this so they should have the option of auto-accepting new keys. I still
> think a dialog box should come up asking if you want to accept the
> fingerprint so that you can override the automatic choice without
> needing to access the known fingerprint list.

Right.  So there would be something like a "Require explicit
confirmation of new fingerprints" option, default off.

If it's off:
    - When a new fingerprint comes in, it's auto-accepted, so that the
      conversation can proceed.
    - A dialog box showing the new fingerprint is displayed, with "Yes"
      and "No" buttons.
    - The "Yes" button simply dismisses the dialog box.
    - The "No" button ends the private connection, forgets the
      fingerprint, and dismisses the dialog box.

If it's on (the current behaviour):
    - When a new fingerprint comes in, it's not auto-accepted.  Messages
      that come in at this point will generate errors.
    - A dialog box showing the new fingerprint is displayed, with "Yes"
      and "No" buttons.
    - The "Yes" button accepts the fingerprint, and dismisses the
      dialog box.
    - The "No" button simply dismisses the dialog box.

> I also like getting the "private connection established" dialog box as
> it clearly informs methat a private conversation has been started even
> if gaim is minimized. Could we have the option of keeping the "private
> connection established" dialog box, while setting the default as an
> in-conversation message?

A "Display 'private connection established' dialogs" checkbox, default
off.

If it's off, you get the behaviour I decribed in the other message.

If it's on, you get the current behaviour (but clicking the "OTR:
Private" button would still bring up the window, and you'd have to click
a button on *that* window to refresh the private connection; this seems
ugly, though; if someone's got a better UI suggestion for how to (a)
bring up the session id information, or (b) refresh a private
connection, please speak up!).

> Also, I was wondering if gaim-otr 2.0.2 is going to be released on
> debian sid. libotr 2.0.2 is already in sid but the newest version of
> gaim-otr is 2.0.1 which conflicts with gaim-encryption.

You'll have to ask Thibaut, the debian maintainter, about that.

   - Ian

More information about the OTR-users mailing list