[Security] Gajim 0.12's E2E encryption UI

Simon Josefsson simon at josefsson.org
Thu Aug 21 07:28:39 CDT 2008


Jonathan Schleifer <js-xmpp-security at webkeks.org> writes:

> GPG should only be an option and not the default, never more, as GPG
> is not user friendly to the average user.

I don't think non-technical users need to ever see anything except
similar user interfaces as shown earlier in this thread.

> It wouldn't really work with a dialog like that. We already have
> problems getting people to verify the SAS, how do you expect them to
> verify a fingerprint? ;)

You can transform an OpenPGP key fingerprint into a SAS-like string, if
that makes you feel better, and ask users to verify that.  Hash the
OpenPGP fingerprint, truncate it and encode it using the same length and
characters as used by SAS today.

If you don't think that is acceptable, the challenge is yours to come up
with something better.  The security industry have been trying for many
years...  I'm not aware of any technology that is more secure and
simpler to use than TLS+OpenPGP with user-assisted fingerprint
verification, but I'd love to hear your counter-proposal.

Disclaimer: I haven't studied the ESession protocol.

/Simon


More information about the Security mailing list