[OTR-users] pidgin-otr: passphrase private key and sign public keys

Paul Wouters paul at cypherpunks.ca
Wed Jul 9 19:02:00 EDT 2008 

> That's not the same: OTR would only need to decrypt the private key
> during initilization of each conversation. The encrypted file system
> would be mounted (and thus be decrypted) all the time pidgin is
> running. I know that that is not much of a difference in theory but it
> adds up. It's about the effort an attacker has to make. Starting up vi
> and editing otr.fingerprints while I am e.g. running for the door is
> not the same as installing a key logger and hiding it from the process
> list.

It takes less time to install my ssh key on your account, then it takes
me to edit your fingerprints. I'll do that after I login to your machine.

> Hmm, I do enter a password connecting to the IM server. And I dont let
> pidgin "remember it" because as far as I know pidgin is missing a
> master passphrase to protect my IM passwords.

It should support gnu keychain I guess. I personally don't type in 8
passwords for my IM accounts (and yes, the 8 passwords are the same,
so dozens of people working for MSN, AIM or jabber servers have access
to all my IM accounts)

> Also in the CodeCon2005 presentation you compare yourself with pgp -
> and with pgp I have to enter the pass phrase all the time because pgp
> does encrypt the private key.

Most mail clients integrating GPG/PGP remember the unlocked key for a
short time (several minutes usually). So it really depends on how you
use gpg/pgp. And gpg/pgp is a bad example to use to show how to demonstrate
effective practical cryptography for the masses. STARTTLS on sendmail has
done much more then gpg/pgp to protect the masses from being eavesdropped on.

(and Americans need it. Even with Obama, there is telecom immunity against
tapping too much for the government, see http://news.bbc.co.uk/2/hi/americas/7498753.stm

>> We want to be able to protect users even if they don't know OTR is
>> installed.
>
> What about users who have been using gpg plugins for IM and wanted to
> switch to OTR?

Did you type your gpg password for every single message in IM like you did
for email? That must surely add quite the latency to your conversation,
assuming you picked a decent strength passphrase.

> -rw-r--r--  1 jdibbelt jdibbelt   406 2008-07-09 10:41 otr.fingerprints
> -rw-r--r--  1 jdibbelt jdibbelt  1984 2008-07-08 16:44 otr.private_key
>
> But I guess that's the package maintainer's fault.

Or your own .whatever config files's umask problem. But even so, isn't
the directory containing these files -rwx------ ?

Paul

More information about the OTR-users mailing list