Security issue: it isn't at all clear to me what "trust" means here. In something like GPG or SSL, the trusted assertion is "the key whose fingerprint is ...63c7cc90 is controlled by 'Simon McVittie <simon.mcvit...@collabora.co.uk>'" or "the key whose fingerprint is ... is controlled by the administrators of bugs.freedesktop.org" - it binds a key to a somewhat human-comprehensible identity (name and email address, or domain name). I would have automatically assumed that the same was true in OTR - binding a key fingerprint to a JID (or whatever else the identifier is, in non-XMPP protocols) - but that doesn't seem to be happening here. Instead, we're saying "I trust this fingerprint" but it isn't clear what property of the fingerprint we're trusting. In particular, we don't seem to be binding a fingerprint to a JID.
Concretely, suppose I talk to xavier.claess...@collabora.co.uk and you present key ID 12345678 [1]. I verify out-of-band that that is really your key ID (perhaps by phoning you or receiving GPG-signed email) and mark it as trusted. Next, I talk to guillaume.desmot...@collabora.co.uk who presents key ID fedcba98, and again, I mark it as trusted. Now Guillaume hijacks your XMPP account, and when I next try to talk to you, Guillaume presents key ID fedcba98. I have "trusted" that key, so my UI doesn't indicate that anything is wrong - but it isn't your key, it's Guillaume's! How does OTR typically deal with this situation? Do OTR users memorize key IDs and ignore the JIDs and contact names presented by the UI, or does the Pidgin OTR plugin store pairs (JID, key ID) and warn the user if an unexpected pairing is found, or does "trust" here mean "I trust this person not to impersonate any of my other contacts"? [1] in real life the key ID would be longer than that, but you get the idea -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to empathy in Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption Status in Chat app, and Telepathy user interface: Confirmed Status in One Hundred Papercuts: Invalid Status in Telepathy framework - library: Confirmed Status in “empathy” package in Ubuntu: Triaged Status in “libtelepathy” package in Ubuntu: Confirmed Status in “empathy” package in Fedora: Won't Fix Bug description: Binary package hint: empathy Hello, I just tried empathy (the Intrepid version) and it looked very solid and stable. There were a few minor things that could be improved (e.g. automatically resizing the contact list), but that is not the topic here. The reason why I won't switch to empathy from pidgin is the missing OTR support (http://www.cypherpunks.ca/otr/ ). This is a really important feature because no one should read your messages. There were others with the same idea (links at the bottom). Would be so great if it could support that important encryption standard. Thanks for helping out! Links: https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/253452/comments/2 http://lists.cypherpunks.ca/pipermail/otr-users/2008-September/001479.html http://bugs.freedesktop.org/show_bug.cgi?id=16891 To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
