authentication for/with OTR #115

Open
opened 2 weeks ago by deknos · 4 comments
deknos commented 2 weeks ago

People are still using OTR with jabber. can we have a authentication possibility with keyoxide and OTR? :)

People are still using OTR with jabber. can we have a authentication possibility with keyoxide and OTR? :)
Owner

Could you ELI5 or send a link with an explanation? XMPP is not my forte.

Could you ELI5 or send a link with an explanation? XMPP is not my forte.
Poster

I would extend this request, i will explain the protocols i would request down here.

I would request, that the following E2E-protocols are supported for identification/authentication:

OpenPGP is a PGP implementation over XMPP, it is not very popular as it does not support Deniability, but still there are users out there. There's also a working Plugin for Pidgin, which also has Package in Ubuntu and Debian

OTR is the first implementation which supports deniability and was back then very popular. There is a working plugin for Pidgin which is also packaged in Debian and Ubuntu. There also exists a implementation for hexchat which makes it usable in IRC.

OMEMO is somewhat the successor of OTR, but OTR is still heavily used. Though there is a omemo plugin for Pidgin for Jabber, there's no packaging for it in Ubuntu/Debian and there's no IRC plugin to my knowledge.

Regarding Jabber, that is a protocol called XMPP, which is defined by https://xmpp.org/

Do you need more information?

I can also help with tests?

I would extend this request, i will explain the protocols i would request down here. I would request, that the following E2E-protocols are supported for identification/authentication: * OpenPGP * https://xmpp.org/extensions/xep-0373.html (specification) * OTR * https://xmpp.org/extensions/xep-0364.html (specification) * https://otr.cypherpunks.ca/index.php (original authors) * https://otr.im/clients.html * OMEMO * https://xmpp.org/extensions/xep-0384.html (specification) * https://omemo.top/ (list which clients support omemo well) * https://conversations.im/omemo/ OpenPGP is a PGP implementation over XMPP, it is not very popular as it does not support Deniability, but still there are users out there. There's also a working Plugin for Pidgin, which also has Package in Ubuntu and Debian OTR is the first implementation which supports deniability and was back then very popular. There is a working plugin for Pidgin which is also packaged in Debian and Ubuntu. There also exists a implementation for hexchat which makes it usable in IRC. OMEMO is somewhat the successor of OTR, but OTR is still heavily used. Though there is a omemo plugin for Pidgin for Jabber, there's no packaging for it in Ubuntu/Debian and there's no IRC plugin to my knowledge. Regarding Jabber, that is a protocol called XMPP, which is defined by https://xmpp.org/ Do you need more information? I can also help with tests?
Owner

Thanks for the explanations. Now, I am still curious on what it means to support "XMPP with E2E protocols" (just to make sure we're on the same page).

For example, XMPP+OMEMO is already supported (docs on XMFF+OMEMO). But OMEMO isn't actually used as part of the verification process, only the Jabber ID is. Once the identity is verified, Keyoxide just shows the entire URI including OMEMO keys.

Is this what you envision for XMPP+OTR and XMPP+OpenPGP as well? The identification process remains the same, it's just the clickable URI after verification that includes handy parameters such as public keys?

Thanks for the explanations. Now, I am still curious on what it means to support "XMPP with E2E protocols" (just to make sure we're on the same page). For example, XMPP+OMEMO is already supported ([docs on XMFF+OMEMO](https://docs.keyoxide.org/service-providers/xmpp/)). But OMEMO isn't actually used as part of the verification process, only the Jabber ID is. Once the identity is verified, Keyoxide just shows the entire URI *including* OMEMO keys. Is this what you envision for XMPP+OTR and XMPP+OpenPGP as well? The identification process remains the same, it's just the clickable URI after verification that includes handy parameters such as public keys?
yarmo added the
question
label 2 weeks ago
Poster

Hm, good point. yes, i would want the jabber id and the key verified for XMPP+(OTR|OpenPGP).

but i do not know how to "export" otr keys. there's a intrinsic authentication mechanism in OTR where you establish authenticity via a "real" challenge-response-mechanism (you specify question and answer and if the other writes the right characters as the answer, you both are authenticated)
i have to look into that.

Hm, good point. yes, i would want the jabber id and the key verified for XMPP+(OTR|OpenPGP). but i do not know how to "export" otr keys. there's a intrinsic authentication mechanism in OTR where you establish authenticity via a "real" challenge-response-mechanism (you specify question and answer and if the other writes the right characters as the answer, you both are authenticated) i have to look into that.
Sign in to join this conversation.
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.