How should we communicate v3 + v4 long-term keys (and fingerprints) to the user?

otrv4 / libotr-ng

A new implementation of OTR with support for version 4. This is a mirror of https://bugs.otr.im/otrv4/libotr-ng

Other

43 stars 9 forks source link

How should we communicate v3 + v4 long-term keys (and fingerprints) to the user? #27

Closed juniorz closed 6 years ago

juniorz commented 7 years ago

The OTRv4 long-term (public) key is published together with a user profile that's signed with the OTRv3 long-term (private) key.

Can we make use of this and simplify the UI? Can we omit OTRv4 fingerprint when there's a profile signed by a trusted OTRv3 key?

olabini commented 6 years ago

No, I don't think we should omit the OTRv4 fingerprint, since then we reduce the security of the connection to the security of the OTRv3 key - and the whole point of updating to modern algorithms and sizes is that the old OTRv3 signing is not strong enough anymore.

claucece commented 6 years ago

Moving this to the plugin work.