[OTR-users] Pretty-please standardize OTR signature storage, per OS.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Sep 6 14:25:27 EDT 2013
On 09/06/2013 01:21 PM, subharo at hushmail.com wrote:
> What if the OTR project had a published *Standard*, saying where
> and how OTR keys should be stored (including filesystem permissions
> that should apply), for every OS where OTR is currently in use (and
> there aren't that many of them). Then the likes of Jitsi, Pidgin,
> and Gagim could all refer to that one standardized, known folder in
> common (silently creating it if necessary).
I quite like the proposal to enable OTR applications to share
authentication databases, and agree that the disjoint data sets are a
ripe source of user confusion (and therefore of insecurity).
I'm not convinced that just outlining a location in the filesystem for
the data is sufficient, though, because of issues with concurrent
updates; e.g. what if Alice's OTR-enabled tool X tries to make a note of
Bob's fingerprint at the same time as OTR-enabled tool Y tries to make a
note of Charlie's fingerprint?
use of an agent-driven approach (e.g. a dbus query or talk to a local
daemon bound to the loopback or something) could serialize and
centralize access without causing more trouble. Related to earlier
discussions about looking up long-term OTR identity keys in the OpenPGP
keyserver network, it seems plausible that you could use a modified
monkeysphere validation agent for this purpose; bummed i don't have time
to work on it further at the moment, but if folks want to push in that
direction, i'd be happy to kibbitz.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20130906/1415eb93/attachment.pgp>
More information about the OTR-users
mailing list