[Security] Gajim 0.12's E2E encryption UI

Jonathan Schleifer js-xmpp-security at webkeks.org
Thu Aug 21 10:17:47 CDT 2008


Simon Josefsson <simon at josefsson.org> wrote:

> You can transform an OpenPGP key fingerprint into a SAS-like string,
> if that makes you feel better, and ask users to verify that.  Hash the
> OpenPGP fingerprint, truncate it and encode it using the same length
> and characters as used by SAS today.

That is basically "just take the sort version of the fingerprint",
which you can read everywhere, is not enough, as only that part is easy
forgable.

> If you don't think that is acceptable, the challenge is yours to come
> up with something better.  The security industry have been trying for
> many years...  I'm not aware of any technology that is more secure and
> simpler to use than TLS+OpenPGP with user-assisted fingerprint
> verification, but I'd love to hear your counter-proposal.

The SAS is done with the DH values calculated at session negotiation,
so you see if there's MITM because they don't match then.

> Disclaimer: I haven't studied the ESession protocol.

Maybe you should ;). It's done there like this.

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080821/31da2763/attachment.pgp 


More information about the Security mailing list