[Security] Gajim 0.12's E2E encryption UI

Simon Josefsson simon at josefsson.org
Thu Aug 21 03:38:57 CDT 2008


Brendan Taylor <whateley at gmail.com> writes:

> I've posted a description (with screenshots) of Gajim 0.12's end-to-end
> encryption UI: <http://necronomicorp.com/lab/gajim-0.12-esessions-ui>
>
> I think it's generally a good model and would like to be able to do
> something similar, whatever system we end up with.

That's useful, it looks like a fairly good user experience.

XMPP could use TLS and OpenPGP and achieve a similar user experience,
here's how:

Each client generate an OpenPGP key for the user when she creates an
account.  Instead of verifying a SAS in your example above, the users
needs to verify the OpenPGP fingerprint.  If a SHA-1 hash is too
techno-babbly, a human-readable transformation of the fingerprint could
be used.  Advanced users can configure the client to use their already
existing OpenPGP key if they want to re-use it for XMPP, which allows
for re-use of the existing web of trust.

Advanced clients could notice when the remote's OpenPGP key is already
trusted via the web-of-trust, and then print both the OpenPGP
fingerprint and the names of all keys in the OpenPGP trust path.  This
allows users to have more confidence of the remote identity before
verifying the OpenPGP fingerprint herself.

/Simon


More information about the Security mailing list