burdges
commented
9 years ago Ideally, you should share a hash of your public key since the server never sees the public key. It's okay to share the public key itself I suppose. Do not stare your public identity because the server knows that. If you're interesting enough, then you might even make the server a target for your adversary by sharing your public identity.
I've a pull request deriving a finger print from the public key here : https://github.com/agl/pond/pull/175 It's complicated however because @agl has code that derives the public identity from the public key, thus breaking the above! At present, we're not using this code but it activates if a future revision that switches to the v2 ratchet. Do not use this pull request until @agl has reviewed it.
While instructing someone on using pond the first thing the did after getting it running was pasted to me (over the unencrypted channel we were chatting over) the pondserver url and public identity-- which I assume might (e.g. in connection with a server compromise) reduce the traffic analysis immunity.
Message content has whatever obvious privacy properties it should have, but other things that shouldn't be made public should probably be put behind a more obvious diagnostic interface.