[OTR-users] Re: OTR-users digest, Vol 1 #63 - 3 msgs

Tue May 31 10:42:05 EDT 2005

On May 31, 2005, at 6:00 AM, Greg Troxel wrote:

> "Ryan B. Gould" <rgould at nosc.mil> writes:
>
>> a good example of why it would be best/great to auto-accept keys is
>> when you are oh two different machines chatting with the same
>> person.  an example: you are at home and you have an OTR chat going
>> with someone.  then you quit the chat.  the person you are chatting
>> with either closes the window or leaves it open (it doesnt matter
>> which).  then you go to work and login there.  the person you were
>> chatting with still thinks that you are using the old key
>> (fingerprint).  then both your attempts to chat with each other
>> barfs with all sorts of malformed packet errors and you are forced
>> to re-establish a connection.  if the person that you are chatting
>> with happens to be using windows gaim with the OTR pugin, and they
>> are away from their machine.. they can come back to quite a few
>> error messages.
>>
>
> I think the discussion is about fingerprints for public keys used to
> sign key exchange, not about session keys.  I routinely do what you
> describe and don't have issues but do need to refresh the key exchange
> when one person switches computers.  I've long ago accepted the 2-3
> fingerprints for each of my correspondents' machines.
> -- 
>         Greg Troxel <gdt at ir.bbn.com>

okay, fair enough.  my apologies to everyone
for not having analyzed the situation thoroughly
before piping up.  perhaps it has something to
do with the new (to me) "fingerprint" lingo.

yes, the accepting of the keys should still be
a manual yes/no process.  OTR implementations on
mac and windows do a great job at this.  still,
having the option of an auto-accept might be
a nice not-default option.

at the same time, i have experienced a situation
on both mac and windows where public keys need
to be re-accepted, even though they have been
accepted previously.  are the public keys set
to expire?  or is there something in the OTR
implementation that rotates keys out after a
certain amount of time?

off topic/next topic:

i think that the session keys are the ones that
should be auto-accepted (or have the ability to
choose that option).  both the mac and the
window implementations dont do a very good job
at handling a situation where the session key(s)
have have changed.  perhaps something in the
hand-shaking needs to be revised so the two
clients dont puke all over each other.  an
auto-re-negotiation rather than an auto-acceptance?