[Standards] OMEMO Key Agreement

Dave Cridland dave at cridland.net
Fri Jun 2 07:56:28 UTC 2017


On 1 June 2017 at 09:55, Remko Tronçon <remko at el-tramo.be> wrote:
> Just on this (because it might be relevant later): I think you're making
> fingerprint changes
> sound worse than they are. The only thing that gets lost is people who
> authenticated
> fingerprints out-of-band, but haven't yet confirmed this in their client and
> then upgrade.
> This could be as easy as a warning before upgrading "Do you have any
> fingerprints that you
> still haven't validated in the app". Even Signal (who seem very focused on
> UX) changed their
>  fingerprints at some point AFAIK.

Just to clarify this in my own mind, you're saying that the
fingerprints (a method for one-time validation of a key) might change,
but the keys themselves need not, so previous validations made using a
deprecated fingerprint format would remain in effect?

Someone (I can't recall who) made the point that fingerprints might
have been placed in print, for example business cards etc, so I assume
that fingerprint compatibility is at least a nice-to-have, though I
suspect such cases are going to be very rare.

So:

Encryption Interop: Don't care (negotiable at runtime)
Key Compatibility: Forward - old keys should work with the new protocol.
Key Fingerprint Compatibility: Nice to have (but will only
affect/benefit small minority).

Is that a fair summary?

Dave.


More information about the Standards mailing list