[OTR-users] Pretty-please standardize OTR signature storage, per OS.

Adrian Georgescu ag at ag-projects.com
Wed Oct 2 12:27:06 EDT 2013 

SIP2SIP client for OSX does support multiple fingerprints per contact and has OTR enabled by default too. Also, it has SMP validation mechanism for remote fingerprints. It is a multimedia SIP client, and it federates with remote XMPP domains and OTR works transparently end-to-end as far as we could test it.

http://sip2sip.info

Adrian

On Oct 2, 2013, at 6:18 PM, subharo at hushmail.com wrote:

> Hello Ian, Tamme, and others,
> 
>>> I've come up with a primitive workaround to this duplicate OTR 
>>> signature problem for: create a new, unique XMPP (or whatever IM-
>> 
>>> protocol) account in each IM client one uses, each with a 
>> slightly 
>>> different name.  Each unique account gets a unique OTR 
>> fingerprint, 
>>> and then there is no "collision" in OTR fingerprints.  The 
>>> unfortunate side effect is needing to add all of one's IM 
>> contacts 
>>> multiple times, one for each unique account.  But that's not so 
>>> bad, it just adds a few more minutes work (including the OTR 
>>> signature exchange for each account, with each contact).  
>>> Typically, even a sophisticated user would only use 2 or 3 OTR-
>>> aware IM clients, in tandem.
>> 
>> So you mean create XMPP accounts ian_1 at jabber.org, 
>> ian_2 at jabber.org,
>> ..., ian_6 at jabber.org, each with individual OTR keys, and your 
>> buddies
>> will add each of those to their contact lists, and authenticate 
>> the OTR
>> keys separately?  I don't see that that's better than creating a 
>> single
>> XMPP account ian at jabber.org, with six OTR keys (one per device), 
>> and
>> your buddies will still authenticate the OTR keys separately, but 
>> now
>> only have to add you once to their contact list?
>> 
>> Can you clarify?
>> 
>>  - Ian
> 
> Sure, I can clarify.  Let's look at two case studies: Jitsi, and 
> Gajim.
> 
> The IM clients that I like the best, BY FAR, right now are Jitsi 
> (for it's SRTP/ZRTP and OTR support), and Gajim (for it's built-in 
> ability to possibly route OTR-encrypted XMPP text chats through 
> Tor).  IMHO, Pidgin, Empathy, and other open source IM clients are 
> way "behind the times" in making security a priority, let alone 
> turning these security features on BY DEFAULT.  Jitsi leads the 
> pack by having OTR and STRP/ZRTP enabled BY DEFAULT.  I'm not aware 
> of any other open source IM client that does this.
> 
> Why would I mention this?  Because, IMHO, *only IM clients that 
> take security seriously matter*, since the advent of the whole 
> Edward Snowden thing.  In other words, OTR has suddenly graduated 
> from "plaything of geek eccentrics", to "compulsory to anyone who 
> doesn't want to live in the year 1984", IMHO.
> 
> Now then, both Jitsi and Gajim currently *only allow one OTR 
> fingerprint at a time, per contact*.  Where can you see this?
> 
> Jitsi: "Tools" menu -> Options -> "Security" tab -> "Chat" sub-tab, 
> see "Known Fingerprints" chart.  There is a button to "Forget 
> Fingerprint" if you'd like to replace an older fingerpint with a 
> new one.
> 
> Gajim: (assuming you've got the OTR plugin installed first, which 
> is not installed by default), "Edit" menu -> Plugins -> select "Off-
> The-Record Encryption" in the "Plugin" chart -> click the 
> "Configure" button in the lower right -> select "Known 
> Fingerprints" tab.  Again, there is a button to "Forget 
> Fingerprint", for a given contact.
> 
> So yes, Ian, my primitive workaround assumes you can have only one 
> OTR fingerprint per contact in a given IM client.  And furthermore, 
> once a given OTR fingerprint is verified for a given contact, and 
> it should remain unchanged on an effectively-permanent basis.  If 
> you are aware of any open-source OTR-aware IM clients that allow 
> for multiple OTR fingerprints for a given contacts, I'd like to 
> hear about them.
> 
> I'd also like to boldly suggest that the whole OTR community 
> consider Jitsi as its new "reference implementation" of OTR, and 
> not Pidgin.  Why?  Because Jitsi has OTR deeply integrated and 
> turned on by default.  Jitsi gives OTR "first class citizen" 
> treatment, whereas Pidgin, Gajim, etc. do not (in that they treat 
> OTR as some hardly important, optional Plugin).
> 
> Cheers,
> Subharo
> 
> _______________________________________________
> OTR-users mailing list
> OTR-users at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20131002/96fa0742/attachment.pgp>

More information about the OTR-users mailing list