[OTR-users] Feature request- Revoke identity
Paul Wouters
paul at cypherpunks.ca
Fri Nov 18 02:06:37 EST 2005
On Thu, 17 Nov 2005, Gregory Maxwell wrote:
> someone with this new identity it will provide them with proof it knew
> the old identity's private key. The old identity is then marked in
> their list as revoked and the software should refuse to communicate
> over it, even if they have not yet verified the new identity (if an
> attacker has my key I couldn't be more pleased if he went around using
> it to revoke it rather than using it to impersonate me!)
Uhm, couldn't the attacker do the same with with the stolen key, and
inject new false identities to your buddies too?
I'd prefer using OTR identities in GPG (sub)keys. There you can do all the
revoke/sign/trust relationships already. We just need to bind those to OTR
identities (with a special (sub)key combing my GPG entity with my OTR keys
and IM identities).
This was discussed before a few weeks back, but the developers were eerily
quiet and probably don't want to be known as "the people who put all those
keys in the PGP keyservers".
Paul
More information about the OTR-users
mailing list