How should we communicate v3 + v4 long-term keys (and fingerprints) to the user?

[claucece]

Question from @juniorz : The OTRv4 long-term (public) key is published together with a user profile that's signed with the OTRv3 long-term (private) key.

Can we make use of this and simplify the UI? Can we omit OTRv4 fingerprint when there's a profile signed by a trusted OTRv3 key?

@olabini : No, I don't think we should omit the OTRv4 fingerprint, since then we reduce the security of the connection to the security of the OTRv3 key - and the whole point of updating to modern algorithms and sizes is that the old OTRv3 signing is not strong enough anymore.

[claucece]

@sahrosa this is a UI issue :)

[deniscostadsc]

The authentication of another user is done on OTR menu option, and then user click on "Authenticate buddy", as can be seen below: After a window will pop up asking for the authentication method. The default method is question and question and answer. So, to see the fingerprint we need to changed to "Manual fingerprint verification". And then we'll see something similar to following image: In this case, Alice's fingerprint is:

Purported fingerprint for alice@localhost:
C65D1F68 F374F317 4C54FEDC 4CBA0B04
FFC9BD1D 6FEFE9A0 3CC839AF 53ABFF15
6EA5E422 CAA3679A 692B586E 9A6AB3F9
8D954BC5 1B8109F1

Brainstorm

1. Show both fingerprints is just concatenate then into one, the result will be similar to this:

Purported fingerprint for alice@localhost:
C65D1F68 F374F317 4C54FEDC 4CBA0B04
FFC9BD1D 6FEFE9A0 3CC839AF 53ABFF15
6EA5E422 CAA3679A 692B586E 9A6AB3F9
8D954BC5 1B8109F1 40B0ABC4 CDEF45C4
51FFBA35 FA938CC3 0A9EFEF6 D1DB9CFF
9F3BA6A9 E685B296 A9763AAC 224E5AE6
1F9018B1 5CB459D8 713F473F 86F1D56C

Problems:

• user can get confuse by the length of the fingerprint varying (shorter if user only has otrv4 key).

2. Has two session on for each fingerprint. Like this:

OTRv4 fingerprint for alice@localhost:
C65D1F68 F374F317 4C54FEDC 4CBA0B04
FFC9BD1D 6FEFE9A0 3CC839AF 53ABFF15
6EA5E422 CAA3679A 692B586E 9A6AB3F9
8D954BC5 1B8109F1

OTRv3 fingerprint for alice@localhost:
40B0ABC4 CDEF45C4
51FFBA35 FA938CC3 0A9EFEF6 D1DB9CFF
9F3BA6A9 E685B296 A9763AAC 224E5AE6
1F9018B1 5CB459D8 713F473F 86F1D56C

Problems:

• user can miss of the fingerprint when checking.

Please, feel free to edit this comment and add more possible solutions

[claucece]

The issue is for showing everywhere. It is missing on the configuration options:

and also the fingerprints of the parties:

Show both fingerprints is just concatenate then into one, the result will be similar to this:

This will be very confusing for an user.

Has two session on for each fingerprint. Like this:

This can work.

We were thinking with @sahrosa and @giovaneliberato to create a hash of both fingerprints and show that as the fingerprint, maybe.

Thanks!

[giovaneliberato]

hey @claucece, just a clarification

We were thinking with @sahrosa and @giovaneliberato to create a hash of both fingerprints and show that as the fingerprint, maybe.

If we decide going this way, this need to be a spec decision rather than a plugin decision, right?

[claucece]

@giovaneliberato probably...

[deniscostadsc]

We were thinking with @sahrosa and @giovaneliberato to create a hash of both fingerprints and show that as the fingerprint, maybe.

That makes a lot of sense!

[olabini]

I think they need to be shown separately. When it comes to the list of fingerprints that we have seen, my proposal is that we have a new column with v3 or v4, and then simply add a line for when we see a v4 or a v3 fingerprint. Now, we will only show a v3 fingerprint here if we have done a v3 AKE.

[olabini]

We have implemented this in the way I suggested. From my perspective it seems to work fine.