[OTR-users] Pretty-please standardize OTR signature storage, per OS.

Wed Oct 2 12:18:00 EDT 2013

Hello Ian, Tamme, and others,

>> I've come up with a primitive workaround to this duplicate OTR 
>> signature problem for: create a new, unique XMPP (or whatever IM-
>
>> protocol) account in each IM client one uses, each with a 
>slightly 
>> different name.  Each unique account gets a unique OTR 
>fingerprint, 
>> and then there is no "collision" in OTR fingerprints.  The 
>> unfortunate side effect is needing to add all of one's IM 
>contacts 
>> multiple times, one for each unique account.  But that's not so 
>> bad, it just adds a few more minutes work (including the OTR 
>> signature exchange for each account, with each contact).  
>> Typically, even a sophisticated user would only use 2 or 3 OTR-
>> aware IM clients, in tandem.
>
>So you mean create XMPP accounts ian_1 at jabber.org, 
>ian_2 at jabber.org,
>..., ian_6 at jabber.org, each with individual OTR keys, and your 
>buddies
>will add each of those to their contact lists, and authenticate 
>the OTR
>keys separately?  I don't see that that's better than creating a 
>single
>XMPP account ian at jabber.org, with six OTR keys (one per device), 
>and
>your buddies will still authenticate the OTR keys separately, but 
>now
>only have to add you once to their contact list?
>
>Can you clarify?
>
>   - Ian

Sure, I can clarify.  Let's look at two case studies: Jitsi, and 
Gajim.

The IM clients that I like the best, BY FAR, right now are Jitsi 
(for it's SRTP/ZRTP and OTR support), and Gajim (for it's built-in 
ability to possibly route OTR-encrypted XMPP text chats through 
Tor).  IMHO, Pidgin, Empathy, and other open source IM clients are 
way "behind the times" in making security a priority, let alone 
turning these security features on BY DEFAULT.  Jitsi leads the 
pack by having OTR and STRP/ZRTP enabled BY DEFAULT.  I'm not aware 
of any other open source IM client that does this.

Why would I mention this?  Because, IMHO, *only IM clients that 
take security seriously matter*, since the advent of the whole 
Edward Snowden thing.  In other words, OTR has suddenly graduated 
from "plaything of geek eccentrics", to "compulsory to anyone who 
doesn't want to live in the year 1984", IMHO.

Now then, both Jitsi and Gajim currently *only allow one OTR 
fingerprint at a time, per contact*.  Where can you see this?

Jitsi: "Tools" menu -> Options -> "Security" tab -> "Chat" sub-tab, 
see "Known Fingerprints" chart.  There is a button to "Forget 
Fingerprint" if you'd like to replace an older fingerpint with a 
new one.

Gajim: (assuming you've got the OTR plugin installed first, which 
is not installed by default), "Edit" menu -> Plugins -> select "Off-
The-Record Encryption" in the "Plugin" chart -> click the 
"Configure" button in the lower right -> select "Known 
Fingerprints" tab.  Again, there is a button to "Forget 
Fingerprint", for a given contact.

So yes, Ian, my primitive workaround assumes you can have only one 
OTR fingerprint per contact in a given IM client.  And furthermore, 
once a given OTR fingerprint is verified for a given contact, and 
it should remain unchanged on an effectively-permanent basis.  If 
you are aware of any open-source OTR-aware IM clients that allow 
for multiple OTR fingerprints for a given contacts, I'd like to 
hear about them.

I'd also like to boldly suggest that the whole OTR community 
consider Jitsi as its new "reference implementation" of OTR, and 
not Pidgin.  Why?  Because Jitsi has OTR deeply integrated and 
turned on by default.  Jitsi gives OTR "first class citizen" 
treatment, whereas Pidgin, Gajim, etc. do not (in that they treat 
OTR as some hardly important, optional Plugin).

Cheers,
Subharo