[OTR-users] gaim 2.0
Ian Goldberg
ian at cypherpunks.ca
Thu Nov 17 08:51:57 EST 2005
On Wed, Nov 16, 2005 at 11:34:53PM -0800, CLAY SHENTRUP wrote:
> just a heads up, gaim 2.0 will be out in a couple months. will otr be
> modified to compile for it?
It will be. Someone's sent in a patch; we'll be working it out over on
the otr-dev list.
> it will support sip. any chance the otr devs might be up for adding some
> srtp goodness to that? :) the important thing is that the key exchange is
> done through diffie-hellman, and usable regardless of whether you've
> verified the "fingerprints". so far you have to use "certificates" for srtp
> sessions in every client i've seen. this is bad bad business.
No promises. ;-) Note that just because a protocol uses Diffie-Hellman
doesn't give it all the same privacy properties as OTR. It may not
provide the same deniability aspects, and if the D-H is only done once
per session, your forward secrecy window may be very large. It may not
even provide authentication! [Trillian's SecureIM falls into this
category, for example.] If you don't have something like a certificate
for the guy at the other end, how do you know it's really him, and not a
man-in-the-middle passing your traffic back and forth (reading it along
the way)?
- Ian
More information about the OTR-users
mailing list