[Security] Gajim 0.12's E2E encryption UI

Peter Saint-Andre stpeter at stpeter.im
Thu Aug 21 14:20:00 CDT 2008


Dirk Meyer wrote:
> Simon Josefsson wrote:
>> Each client generate an OpenPGP key for the user when she creates an
>> account.  Instead of verifying a SAS in your example above, the users
>> needs to verify the OpenPGP fingerprint.  If a SHA-1 hash is too
>> techno-babbly, a human-readable transformation of the fingerprint could
>> be used. 
> 
> Or we use TLS-RSP the first time and use that password to gain the
> trust. After that I know it is you and I know your OpenPGP key for the
> next time. This makes it possible to use a password only once and use
> OpenPGP after that. It could also auto-sign keys with a minimum trust
> level once I verified you with RSP.
> 
>> Advanced users can configure the client to use their already
>> existing OpenPGP key if they want to re-use it for XMPP, which
>> allows for re-use of the existing web of trust.
> 
> You could also sign your new key with the old one trusting yourself.

Would we still need user keys and client keys?

One nice thing about OpenPGP is that we could re-use XEP-0027 for the 
offline messaging case:

http://www.xmpp.org/extensions/xep-0027.html

It probably needs a once-through to clean up various aspects, though.

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080821/77baf668/attachment.bin 


More information about the Security mailing list