[Security] Gajim 0.12's E2E encryption UI
stpeter at stpeter.im
Thu Aug 21 14:20:00 CDT 2008
Dirk Meyer wrote:
> Simon Josefsson wrote:
>> Each client generate an OpenPGP key for the user when she creates an
>> account. Instead of verifying a SAS in your example above, the users
>> needs to verify the OpenPGP fingerprint. If a SHA-1 hash is too
>> techno-babbly, a human-readable transformation of the fingerprint could
>> be used.
> Or we use TLS-RSP the first time and use that password to gain the
> trust. After that I know it is you and I know your OpenPGP key for the
> next time. This makes it possible to use a password only once and use
> OpenPGP after that. It could also auto-sign keys with a minimum trust
> level once I verified you with RSP.
>> Advanced users can configure the client to use their already
>> existing OpenPGP key if they want to re-use it for XMPP, which
>> allows for re-use of the existing web of trust.
> You could also sign your new key with the old one trusting yourself.
Would we still need user keys and client keys?
One nice thing about OpenPGP is that we could re-use XEP-0027 for the
offline messaging case:
It probably needs a once-through to clean up various aspects, though.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080821/77baf668/attachment.bin
More information about the Security