[OTR-users] PGP integration?
Hans-Christoph Steiner
hans at guardianproject.info
Wed Nov 6 14:02:34 EST 2013
On Wed, 06 Nov 2013 18:24:24 +0000
Ximin Luo <infinity0 at gmx.com> wrote:
> On 06/11/13 18:07, Daniel Kahn Gillmor wrote:
> > On 11/06/2013 12:59 PM, Hans-Christoph Steiner wrote:
> >> We have rudimentary support for this in the latest release of
> >> KeySync: https://guardianproject.info/apps/keysync/
> >>
> >> It will read a DSA subkey from your GnuPG secret key and convert it
> >> into main different OTR formats. Writing out to various OTR
> >> formats works pretty well, its the reading from GnuPG that is
> >> rudimentary.
> >
> > cool. how does it decide which DSA subkeys to use? does it
> > consider the usage flags on the keys, or any specific markers that
> > would indicate that a key is intended for OTR use as opposed to
> > other use?
> >
> > --dkg
>
> To re-iterate this to OP more strongly, if this "rudimentary"
> behaviour merely grabs a random key that could be *already used for
> another purpose* and turn it into an OTR key, then that is a security
> flaw, and no-one should be using it.
>
> What we said before (and to repeat from the parallel discussion from
> otr-users) is that the tool should generate a new PGP subkey with
> usage flags "Authentication" and critical notation "for OTR use
> only". (If you don't know what a usage flag is, or a critical
> notation, please look this up in the OpenPGP docs/specs.)
>
> I was under the impression that we had reached a consensus that this
> "the correct thing to do", so we don't really need to waste any more
> time talking about it. (I suppose one final thing is precisely what
> string the notation should be.)
>
> X
It just grabs whatever DSA key is in the GPG key. Yes, this is not
the best behavior. Its a proof of concept. The target audience is
anyone interested in experimenting with the idea. Its not meant to be
a day-to-day user feature yet.
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 904 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20131106/dae26730/attachment.pgp>
More information about the OTR-users
mailing list