[liberationtech] mod_require_otr in prosody
Ximin Luo
infinity0 at pwned.gg
Sun Feb 2 15:14:16 PST 2014
On 03/02/14 00:00, Ximin Luo wrote:
> On 02/02/14 18:25, Nathan of Guardian wrote:
>> On 02/02/2014 12:17 PM, Seth wrote:
>>> On Sat, 01 Feb 2014 04:16:34 -0800, Eleanor Saitta <ella at dymaxion.org>
>>> wrote:
>>>
>>>> Likewise, they mostly only support a single fingerprint per user,
>>>> which vastly complicates use with multiple (mobile/desktop, for
>>>> instance) clients.
>>>
>>> Are you aware of any OTR capable XMPP clients or OTR plugins which
>>> currently _do_ support multiple fingerprints per user?
>>
>> ChatSecure for Android does. We store fingerprints based on the full
>> JID, which includes the resource, meaning that:
>>
>> nathan at guardianproject.info/chatsecure
>> nathan at guardianproject.info/pidgin
>>
>> can have unique verified fingerprints.
>>
>
> I don't think this approach is useful, see http://sourceforge.net/p/otr/bugs/24/
>
Sorry, I'm confusing myself here. That bug is about storing the XMPP resource of the *source account* that *you* sign in as.
You were talking about the *target account* of your buddy. Storing (and matching against) the XMPP resource in this case, is not such of a big deal. However, I would still argue that it's unnecessary, for the reason below.
> When I validate a key I am validating it against an *identity* and not a device. It is not an attack if my friend moves the key from one device to another.
>
>> In our work documenting the various keystore formats for our KeySync
>> project, I know that we came across a few other apps that do this as
>> well, at least in theory.
>>
>> +n
>>
>
>
>
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
More information about the liberationtech
mailing list