[OTR-users] PGP integration?
Ximin Luo
infinity0 at gmx.com
Wed Nov 6 13:24:24 EST 2013
On 06/11/13 18:07, Daniel Kahn Gillmor wrote:
> On 11/06/2013 12:59 PM, Hans-Christoph Steiner wrote:
>> We have rudimentary support for this in the latest release of KeySync:
>> https://guardianproject.info/apps/keysync/
>>
>> It will read a DSA subkey from your GnuPG secret key and convert it
>> into main different OTR formats. Writing out to various OTR formats
>> works pretty well, its the reading from GnuPG that is rudimentary.
>
> cool. how does it decide which DSA subkeys to use? does it consider the usage flags on the keys, or any specific markers that would indicate that a key is intended for OTR use as opposed to other use?
>
> --dkg
To re-iterate this to OP more strongly, if this "rudimentary" behaviour merely grabs a random key that could be *already used for another purpose* and turn it into an OTR key, then that is a security flaw, and no-one should be using it.
What we said before (and to repeat from the parallel discussion from otr-users) is that the tool should generate a new PGP subkey with usage flags "Authentication" and critical notation "for OTR use only". (If you don't know what a usage flag is, or a critical notation, please look this up in the OpenPGP docs/specs.)
I was under the impression that we had reached a consensus that this "the correct thing to do", so we don't really need to waste any more time talking about it. (I suppose one final thing is precisely what string the notation should be.)
X
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20131106/d30dbd52/attachment.pgp>
More information about the OTR-users
mailing list