[guardian-dev] libotr for gibberbot?

Hans-Christoph Steiner hans at at.or.at
Mon Nov 14 11:07:06 EST 2011


Hey Martin,

I agree with the goals of OTR there, and I think that storing the OTR key in your PGP maintains those goals.  OTR uses a public/private key pair, just like PGP to certify the identity of the person you are chatting with.  This key is long lived, stored, and should be certified, via fingerprint checks or Socialist Millionaires Protocol.  So its very much like a PGP key.    The OTR protocol uses those keys to generate other keys for the session, and that is what allows it to do what it does.

I'm not talking about using a PGP sig to sign OTR conversations, which would break deniabililty.  I am talking about linking the long lived private keys and certification parts.

.hc

On Nov 14, 2011, at 5:00 AM, Martin Hanc wrote:

> Hey all,
> 
> not sure if integrating PGP with OTR keys is a good idea. The original purpose and design of OTR keys was not to provide a digital signature, but rather authenticity only. From http://www.cypherpunks.ca/otr/
> Deniability
> The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
> No PGP in OTR is a design choice and integration with PGP would remove features of OTR, making it useless for 'anonymous' private sessions.
> 
> Martin
> 
> On Sat, Nov 12, 2011 at 3:25 AM, Hans-Christoph Steiner <hans at at.or.at> wrote:
> 
> On Nov 11, 2011, at 9:14 PM, Miron wrote:
> 
> > On 11-11-11 01:58 PM, Hans-Christoph Steiner wrote:
> >> On Nov 11, 2011, at 4:48 PM, Jacob Appelbaum wrote:
> >>
> >>> On 11/11/2011 12:36 PM, Hans-Christoph Steiner wrote:
> >>>> Its looking more and more like libotr is a good central point for us to be working on for handling improvements related to OTR.  For example, if it turns out to be a solid idea, I will be implementing OTR keys being integrated into OpenPGP keys.  That would happen in libotr for Pidgin and Adium.  I could either spend the time to reimplement that in Java, or make JNI wrappers for libotr and use gpgme-for-java.  The second approach would then also give us a fully functional OpenPGP stack versus the limited one in APG.  It would also give us the Socialist Millionaires Protocol, implemented in libotr 3.2.
> >>>>
> >>>> Anyone have any counterpoints to switching Gibberbot to libotr?
> >>>>
> >>> Memory corruption bugs! Unless you mean the libotr in Java?
> >>>
> >>> Please consider a full re-implementation of OTR in a type safe language
> >>> rather than simply switching to native code or code written by the OTR
> >>> team; we should try to avoid a privacy software monoculture.
> >>>
> >>> Check this out:
> >>> https://github.com/afflux/pure-python-otr
> >>>
> >>> All the best,
> >>> Jake
> >> I wish we could use python, but that's not an option for this project.  A full Java implementation of OTR would also be good to have, but it seems that I would then spend my project time on that, and not on improving the usefulness of OTR, which is the scope of this project (PSST: https://guardianproject.info/wiki/PSST).  If someone wanted to implement the Socialist Millionaires Protocol in otr4j, I'd gladly use it.
> >
> > I can take this on.
> 
> Excellent!  I'm sure the jitsi devs will be happy too, they are the authors of otr4j.
> 
> .hc
> 
> 
> ----------------------------------------------------------------------------
> 
> Programs should be written for people to read, and only incidentally for machines to execute.
>  - from Structure and Interpretation of Computer Programs
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/sanraal7%40gmail.com
> 
> You are subscribed as: sanraal7 at gmail.com
> 



----------------------------------------------------------------------------

"[W]e have invented the technology to eliminate scarcity, but we are deliberately throwing it away to benefit those who profit from scarcity."        -John Gilmore


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20111114/b38d467f/attachment.htm>


More information about the Guardian-dev mailing list