[OTR-users] Pretty-please standardize OTR signature storage, per OS.

Ian Goldberg ian at cypherpunks.ca
Tue Oct 1 18:10:19 EDT 2013 

On Tue, Oct 01, 2013 at 12:56:16PM -0400, subharo at hushmail.com wrote:
> Tamme, you also wondered where the spec for OTR is.  It appears 
> there is none.  All there is to go on, for now, it seems, is just 
> to "wing it", after carefully observing the formatting seen in the 
> config file that Pidgin creates, containing the OTR signature 
> (which was mentioned a bit earlier, in this mailing list).  
> Somebody, please correct me, if I'm wrong.

There is an OTR spec; it's on the website.
(http://otr.cypherpunks.ca/Protocol-v3-4.0.0.html)  Paul and others are
also working on a formal RFC.  But OTR is the protocol on the network
side.  It doesn't say anything about how all the different
implementations should handle their private information, but rather just
how they should behave in order to interoperate with each other over the
wire.

> Furthermore, I've considered how involved I can get into this, and 
> I've decided I can't offer more than this much.
> 
> I wish everyone the best in this, however I'm moving on for now, as 
> I've come up with a primitive workaround to this duplicate OTR 
> signature problem for: create a new, unique XMPP (or whatever IM-
> protocol) account in each IM client one uses, each with a slightly 
> different name.  Each unique account gets a unique OTR fingerprint, 
> and then there is no "collision" in OTR fingerprints.  The 
> unfortunate side effect is needing to add all of one's IM contacts 
> multiple times, one for each unique account.  But that's not so 
> bad, it just adds a few more minutes work (including the OTR 
> signature exchange for each account, with each contact).  
> Typically, even a sophisticated user would only use 2 or 3 OTR-
> aware IM clients, in tandem.

So you mean create XMPP accounts ian_1 at jabber.org, ian_2 at jabber.org,
..., ian_6 at jabber.org, each with individual OTR keys, and your buddies
will add each of those to their contact lists, and authenticate the OTR
keys separately?  I don't see that that's better than creating a single
XMPP account ian at jabber.org, with six OTR keys (one per device), and
your buddies will still authenticate the OTR keys separately, but now
only have to add you once to their contact list?

Can you clarify?

   - Ian

More information about the OTR-users mailing list