[OTR-users] Opinions on proposed "unknown fingerprint" behaviour?
Paul Wouters
paul at cypherpunks.ca
Sat May 21 18:30:20 EDT 2005
On Fri, 20 May 2005, Ian Goldberg wrote:
> Right. So there would be something like a "Require explicit
> confirmation of new fingerprints" option, default off.
>
> If it's off:
> - When a new fingerprint comes in, it's auto-accepted, so that the
> conversation can proceed.
> - A dialog box showing the new fingerprint is displayed, with "Yes"
> and "No" buttons.
> - The "Yes" button simply dismisses the dialog box.
> - The "No" button ends the private connection, forgets the
> fingerprint, and dismisses the dialog box.
>
> If it's on (the current behaviour):
> - When a new fingerprint comes in, it's not auto-accepted. Messages
> that come in at this point will generate errors.
> - A dialog box showing the new fingerprint is displayed, with "Yes"
> and "No" buttons.
> - The "Yes" button accepts the fingerprint, and dismisses the
> dialog box.
> - The "No" button simply dismisses the dialog box.
Couldn't the OTR client who gets the unknown fingerprint send back a "hold
further messages until I send an OK" message? Then the sending client
could, when the user types in another message, either tell the user the message
will be queued or just tell it it is not allowed to send more messages until
the fingerprint is accepted? I think queueing on the sending client is safer
then transmitting in unconfirmed fingerprint fashion to begin with?
Paul
More information about the OTR-users
mailing list