[OTR-users] Pretty-please standardize OTR signature storage, per OS.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 10 11:20:47 EDT 2013 

On 09/10/2013 10:24 AM, Thijs Alkemade wrote:

> Before we run off and start reimplementing something like a gpg-agent-for-otr,
> could we investigate whether it would be possible to just use gpg with gpg-
> agent itself for storing OTR keys and known fingerprints?

gpg agent manages your own secret key material.  This list is discussing
an agent which manages your known peer's public key material.
> 
> If we standardize on a way to store OTR keys as a subkey in GPG (like was
> discussed in [1]), we additionally make it possible to use the WoT for
> retrieving, verifying and revoking keys.
> 
> There are however a couple of things of which I'm not sure how good they match
> up. Can we store arbitrarily formatted IM handles with known public keys (not
> just those that look like emails)?

yes, the OpenPGP User ID subpacket is an arbitrary UTF-8 string.

> Can you apply a trust setting only to one specific subkey?

"trust" in GnuPG terms describes your willingness to rely on identity
certifications from the key in question.  e.g. "full ownertrust for
Alice's key A" means "if A has certified that key B belongs to Bob, then
i am willing to believe that key B belongs to Bob."

"validity", on the other hand, refers to the simpler idea that a given
key really belongs to the stated user.  e.g. "full validity for Alice's
Key A" means "I believe that key A belongs to Alice"

Note that these are both subjective terms, since different people have
different views of the WoT.

To answer your question, GnuPG's standard trust model is that ownertrust
applies to a primary key (and, transitively, to all
certification-capable subkeys properly bound to that primary).  If your
subkey is not certification-capable, though (i've seen very few which
are), assigning ownertrust to it would be meaningless, since it cannot
make any identity certifications.

Is it even a good idea to use gpg's trust for OTR trust, or
> can that be a separate field?

I don't think "trust" is the term you're looking for here, since OTR
doesn't have such a concept.  I think you're asking about validity, and
i think yes, if i believe your key is valid (that is "I believe key X
belongs to you"), and you were to add a subkey marked somehow as "use
this key for my long-term OTR identity" (and it is properly
cryptographically bound to your primary key) then i see no reason that i
shouldn't be willing to accept that subkey in OTR conversations with you.

	--dkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20130910/e8976caf/attachment.pgp>

More information about the OTR-users mailing list