Dirk Meyer wrote:
Simon Josefsson wrote:Each client generate an OpenPGP key for the user when she creates an account. Instead of verifying a SAS in your example above, the users needs to verify the OpenPGP fingerprint. If a SHA-1 hash is too techno-babbly, a human-readable transformation of the fingerprint couldbe used.Or we use TLS-RSP the first time and use that password to gain the trust. After that I know it is you and I know your OpenPGP key for the next time. This makes it possible to use a password only once and use OpenPGP after that. It could also auto-sign keys with a minimum trust level once I verified you with RSP.Advanced users can configure the client to use their already existing OpenPGP key if they want to re-use it for XMPP, which allows for re-use of the existing web of trust.You could also sign your new key with the old one trusting yourself.
Would we still need user keys and client keys?One nice thing about OpenPGP is that we could re-use XEP-0027 for the offline messaging case:
http://www.xmpp.org/extensions/xep-0027.html It probably needs a once-through to clean up various aspects, though. Peter
smime.p7s
Description: S/MIME Cryptographic Signature
