> Any thoughts on allowing OTR to grab a key from an OpenPGP cert? I had brought this question up on the pidgin ticket system before it dawned on me that it was more associated with OTR; but then I had second thoughts ... I'm posting here a part of my post over there, as I think it's relevant for broader discussion. Perhaps there is a way around the issues I'm bringing up? A key management plugin, perhaps, that encryption plugins depend on??
https://developer.pidgin.im/ticket/15805#comment:3 ... I must say that even dealing with it in OTR leaves a problem. We have three encryption plugins: OTR, Pidgin-GPG and Pidgin-Encryption. The latter two are quite different from OTR, giving us the ability to leave asynchronous messages. So we need at least one of them. It would be annoying to have each plugin recreate the ability to access our OpenPGP cert. Besides the extra coding, if I use some key for OTR and use the same key for Pidgin-GPG (both, on the same account), I have to import it twice. Importing it twice, means my buddy has to verify it twice, once for each plugin, even if it's the same account. It seems to me what we really need is: (1, primary & less complicated) some kind of capacity in pidgin to associate a key with a specific account. (1.1) Instead of each plugin generating their own keys, we need one key generating mechanism. (1.2) Instead of each plugin importing OpenPGP keys, we need one key import mechanism. (2, secondary and slightly more complicated) When I verify my buddy's key, I want to be verifying it in an account, rather than once in OTR and etc for the other encryption plugins. So my buddy's keys should also be associated with the account, rather than the plugin. Verification is like signing a key, so what this would provide is effectively one keychain per account. (3, tertiary and difficult) It would be _really_ nice if I could import those keys in my gpg keyring whose ID's are associated with an account in my contacts list. Then, if a particular key presented by my buddy has a trust path in my gpg keyring, it would be marked in pidgin as verified for that account. This is pointing to some element of key management in Pidgin - somewhere between simple & more elaborate - rather than leaving it to the plugins. /DA _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
