[OTR-users] Pretty-please standardize OTR signature storage, per OS.
Tamme Schichler
tammeschichler at googlemail.com
Tue Sep 10 18:22:17 EDT 2013
Am 10.09.2013 16:24, schrieb Thijs Alkemade:
> Hello,
>
> Before we run off and start reimplementing something like a gpg-agent-for-otr,
> could we investigate whether it would be possible to just use gpg with gpg-
> agent itself for storing OTR keys and known fingerprints?
>
> It's a well established tool which has all the things like encrypted storage
> of private keys and management of known public keys figured out.
>
> If we standardize on a way to store OTR keys as a subkey in GPG (like was
> discussed in [1]), we additionally make it possible to use the WoT for
> retrieving, verifying and revoking keys.
>
> There are however a couple of things of which I'm not sure how good they match
> up. Can we store arbitrarily formatted IM handles with known public keys (not
> just those that look like emails)? Can you apply a trust setting only to one
> specific subkey? Is it even a good idea to use gpg's trust for OTR trust, or
> can that be a separate field?
>
> [1] = http://thread.gmane.org/gmane.ietf.openpgp/7333
>
> Regards,
> Thijs
Hello Thijs,
I looked at the gpg-agent protocol and it doesn't seem to have any key
management mechanisms. It seems key management runs completely on
gpg/gpgv2(.exe), which seems to have localized output and only works
with command line parameters and the standard IO streams. Not exactly an
easy to use API in my opinion.
The key management could work in principle though, it's just not
necessarily ideal for OTR.
-Tamme
More information about the OTR-users
mailing list