Hi, Lately I've been thinking about how to communicate the decisions OTR is mak= ing in such a way that users can make informed choices based on that. I realized that one thing I've missed when using OTR-enabled clients = is the possibility of knowing whether my peer has validated my key or not.
I would like to propose a new experimental TLV that would roughly work like= this: It will be automatically sent in two cases: - after the initial AKE has finished - when any of the information conveyed in the TLV has changed The information in the TLV would simply be two values. The first one is a b= oolean that says whether my OTR instance has authenticated the other persons fingerprint or concluded an SMP successfully. The second valu= e is a value that can range from 0 to 100 and is something I call a "security rating". Basically, this rating is an opaque judgment of how se= cure the connection is from my perspective. It can take into account whether I'm using TLS to talk to the XMPP server, whether Tor is us= ed, whether logs are turned off, etc. The idea is that my client can give the other client a rough indication of how secure we think the sit= uation is. This second value is vaguely specified on purpose, since it will be always be subjective to the local peers situation. So - is this proposal completely stupid, or something others think would be= valuable as well? Thoughts? -- Ola Bini (https://olabini.se) "Yields falsehood when quined" yields falsehood when quined. _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
