Hey, I would like to add authentication and encryption to a chat-client with CADET. If I understood the docs correctly then the messages are only signed by the key from a peer.
I thought I could use EGO for that but I'm not sure if the names get checked for doubles before creation of an ego. I would guess they aren't and if they weren't I would ask how some of you would think about this procedure: 1. Alice asks Bob for his public-PGP-key and his public-EGO-key. 2. Bob responds with his key. 3. Alice sends her public-PGP-key and related email-address of her PGP-keypair, encrypted with Bobs public-PGP-key. 4. Bob sends a mail encrypted with Alices public-PGP-key and signed with his private-PGP-key. The content of the mail is a token only Alice can read. 5. Alice sends the token (only if it was Bobs signature) to Bob and her public-EGO-key, encrypted with Bobs public-EGO-key. 6. Bob sends (only if the token matches) a symmetric key back for further communication, encrypted with Alices public-EGO-key and remembers Alice-EGO-key matching to her email-address. * So in later stages Alice would not need any email-traffic for verification her key belongs to her and she could use an EGO-key which could be deleted much safer to make sure of forward-secrecy. Maybe this is unnecessary or I miss a flaw in this model. So a response would be great then I could start implementing a solution. Best regards, Tobias Frisch PS: I would probably use GPGMe to implement the custom procedure because it has a pretty good API like GNUnet.
signature.asc
Description: This is a digitally signed message part
