[OTR-users] Pretty-please standardize OTR signature storage, per OS.

subharo at hushmail.com subharo at hushmail.com
Sun Oct 6 13:40:08 EDT 2013 

Hello Adrian,

The IM client to which you're referring seems to be Blink.  sip2sip 
is a free SIP service, and they recommend the Blink IM client for 
use with it.  Blink is Open Source, however I haven't yet checked 
it out yet, as I'm much more interested in XMPP than SIP.

The one gripe I see at the outset is that it uses iCloud for 
backups, which I don't trust as secure.  Hopefully that's optional, 
and not enabled by default.

None the less, thanks for pointing Blink/SIP2SIP out.  Note: XMPP 
works considerably better for me than SIP on my satellite internet 
connection.  SIP always works poorly for me (unless I were to 
carefully use a VPN), and the satellite makes damn sure of that.  
Although when my satellite is too busy (like during evenings and 
weekends), it drops XMPP traffic also.

Cheers,
Subharo

On Wed, 02 Oct 2013 12:27:15 -0400 "Adrian Georgescu" <ag at ag-
projects.com> wrote:
>SIP2SIP client for OSX does support multiple fingerprints per 
>contact and has OTR enabled by default too. Also, it has SMP 
>validation mechanism for remote fingerprints. It is a multimedia 
>SIP client, and it federates with remote XMPP domains and OTR 
>works transparently end-to-end as far as we could test it.
>
>http://sip2sip.info
>
>Adrian
>
>On Oct 2, 2013, at 6:18 PM, subharo at hushmail.com wrote:
>
>> Hello Ian, Tamme, and others,
>> 
>>>> I've come up with a primitive workaround to this duplicate OTR 
>
>>>> signature problem for: create a new, unique XMPP (or whatever 
>IM-
>>> 
>>>> protocol) account in each IM client one uses, each with a 
>>> slightly 
>>>> different name.  Each unique account gets a unique OTR 
>>> fingerprint, 
>>>> and then there is no "collision" in OTR fingerprints.  The 
>>>> unfortunate side effect is needing to add all of one's IM 
>>> contacts 
>>>> multiple times, one for each unique account.  But that's not 
>so 
>>>> bad, it just adds a few more minutes work (including the OTR 
>>>> signature exchange for each account, with each contact).  
>>>> Typically, even a sophisticated user would only use 2 or 3 OTR-
>
>>>> aware IM clients, in tandem.
>>> 
>>> So you mean create XMPP accounts ian_1 at jabber.org, 
>>> ian_2 at jabber.org,
>>> ..., ian_6 at jabber.org, each with individual OTR keys, and your 
>>> buddies
>>> will add each of those to their contact lists, and authenticate 
>
>>> the OTR
>>> keys separately?  I don't see that that's better than creating 
>a 
>>> single
>>> XMPP account ian at jabber.org, with six OTR keys (one per 
>device), 
>>> and
>>> your buddies will still authenticate the OTR keys separately, 
>but 
>>> now
>>> only have to add you once to their contact list?
>>> 
>>> Can you clarify?
>>> 
>>>  - Ian
>> 
>> Sure, I can clarify.  Let's look at two case studies: Jitsi, and 
>
>> Gajim.
>> 
>> The IM clients that I like the best, BY FAR, right now are Jitsi 
>
>> (for it's SRTP/ZRTP and OTR support), and Gajim (for it's built-
>in 
>> ability to possibly route OTR-encrypted XMPP text chats through 
>> Tor).  IMHO, Pidgin, Empathy, and other open source IM clients 
>are 
>> way "behind the times" in making security a priority, let alone 
>> turning these security features on BY DEFAULT.  Jitsi leads the 
>> pack by having OTR and STRP/ZRTP enabled BY DEFAULT.  I'm not 
>aware 
>> of any other open source IM client that does this.
>> 
>> Why would I mention this?  Because, IMHO, *only IM clients that 
>> take security seriously matter*, since the advent of the whole 
>> Edward Snowden thing.  In other words, OTR has suddenly 
>graduated 
>> from "plaything of geek eccentrics", to "compulsory to anyone 
>who 
>> doesn't want to live in the year 1984", IMHO.
>> 
>> Now then, both Jitsi and Gajim currently *only allow one OTR 
>> fingerprint at a time, per contact*.  Where can you see this?
>> 
>> Jitsi: "Tools" menu -> Options -> "Security" tab -> "Chat" sub-
>tab, 
>> see "Known Fingerprints" chart.  There is a button to "Forget 
>> Fingerprint" if you'd like to replace an older fingerpint with a 
>
>> new one.
>> 
>> Gajim: (assuming you've got the OTR plugin installed first, 
>which 
>> is not installed by default), "Edit" menu -> Plugins -> select 
>"Off-
>> The-Record Encryption" in the "Plugin" chart -> click the 
>> "Configure" button in the lower right -> select "Known 
>> Fingerprints" tab.  Again, there is a button to "Forget 
>> Fingerprint", for a given contact.
>> 
>> So yes, Ian, my primitive workaround assumes you can have only 
>one 
>> OTR fingerprint per contact in a given IM client.  And 
>furthermore, 
>> once a given OTR fingerprint is verified for a given contact, 
>and 
>> it should remain unchanged on an effectively-permanent basis.  
>If 
>> you are aware of any open-source OTR-aware IM clients that allow 
>
>> for multiple OTR fingerprints for a given contacts, I'd like to 
>> hear about them.
>> 
>> I'd also like to boldly suggest that the whole OTR community 
>> consider Jitsi as its new "reference implementation" of OTR, and 
>
>> not Pidgin.  Why?  Because Jitsi has OTR deeply integrated and 
>> turned on by default.  Jitsi gives OTR "first class citizen" 
>> treatment, whereas Pidgin, Gajim, etc. do not (in that they 
>treat 
>> OTR as some hardly important, optional Plugin).
>> 
>> Cheers,
>> Subharo
>> 
>> _______________________________________________
>> OTR-users mailing list
>> OTR-users at lists.cypherpunks.ca
>> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>>

More information about the OTR-users mailing list