[OTR-users]RE: [OTR-users] Re: OTR-users digest, Vol 1 #63 - 3 msgs

Alaric Dailey alaricd at pengdows.com
Fri May 20 16:37:42 EDT 2005 

I like the way Simp (www.secway.fr) handles it, giving you a key manager so you can take your fingerprint/keyrings with you from machine to machine. having a keyring highlights new and untrusted keys so you are aware of changes 

My modification of the their way to do it, (borrowing from other emails I have seen) would be to give a status in the window letting you know that while you are encrypted its a "new or untrusted" key. so if you don't trust yourself to look at new or changed autoaccepted keys you will still know, or if you don't care, you can ignore it.

If there is such a "keyring" feature currently in OTR I haven't found it. 

Forgive me if I don't know all the features of OTR, I have only started using it.



Original Message -----------------------

a good example of why it would be best/great
to auto-accept keys is when you are oh two
different machines chatting with the same
person.  an example:  you are at home and
you have an OTR chat going with someone.
then you quit the chat.  the person you
are chatting with either closes the window
or leaves it open (it doesnt matter which).
then you go to work and login there.
the person you were chatting with still
thinks that you are using the old key
(fingerprint).  then both your attempts
to chat with each other barfs with all
sorts of malformed packet errors and
you are forced to re-establish a connection.
if the person that you are chatting with
happens to be using windows gaim with
the OTR pugin, and they are away from
their machine.. they can come back to
quite a few error messages.

> So what would people think about this:
>
> - When you receive a new fingerprint, you're notified of this fact  
> (with
>   a dialog box), but it's automatically accepted right away.  [Noting
>   that approximately everyone just clicks "OK" anyway, this doesn't
>   change the usual behaviour.]
>
> - If you *don't* want to accept the fingerprint, you'd have to  
> delete it
>   from your "known fingerprints" list.  Like today, I don't intend for
>   there to be a "known bad fingerprints" list.  [Another option  
> would be
>   for the above dialog to continue to have "accept / not accept"
>   buttons, and clicking the latter would cause the fingerprint to be
>   deleted from the known fingerprints list (it would have been  
> added the
>   moment the dialog popped up).]
>
> - The "private connection established" dialog goes away (or is made
>   optional), but the fingerprint and secure session id that are in  
> there
>   now must still be accessible somehow (clicking the "OTR: Private"
>   button, maybe?).
>
_______________________________________________
OTR-users mailing list
OTR-users at lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-users

More information about the OTR-users mailing list