[Security] Gajim 0.12's E2E encryption UI

Dirk Meyer dmeyer at tzi.de
Thu Aug 21 14:17:14 CDT 2008


Simon Josefsson wrote:
> Each client generate an OpenPGP key for the user when she creates an
> account.  Instead of verifying a SAS in your example above, the users
> needs to verify the OpenPGP fingerprint.  If a SHA-1 hash is too
> techno-babbly, a human-readable transformation of the fingerprint could
> be used. 

Or we use TLS-RSP the first time and use that password to gain the
trust. After that I know it is you and I know your OpenPGP key for the
next time. This makes it possible to use a password only once and use
OpenPGP after that. It could also auto-sign keys with a minimum trust
level once I verified you with RSP.

> Advanced users can configure the client to use their already
> existing OpenPGP key if they want to re-use it for XMPP, which
> allows for re-use of the existing web of trust.

You could also sign your new key with the old one trusting yourself.


Dirk

-- 
The only problem with mornings is that they happen too early in the
day.


More information about the Security mailing list