[Pidgin] #15805: OpenPGP Cert _with_ OTR (not instead of OTR)

Pidgin trac at pidgin.im
Thu Nov 7 05:07:31 EST 2013 

#15805: OpenPGP Cert _with_ OTR (not instead of OTR)
------------------------------------+---------------------------
 Reporter:  diagon                  |       Owner:  EionRobb
     Type:  defect                  |      Status:  new
Milestone:                          |   Component:  unclassified
  Version:  2.10.7                  |  Resolution:
 Keywords:  OpenPGP OTR WebofTrust  |
------------------------------------+---------------------------

Comment (by diagon):

 [Edited]

 Given that OTR is a plugin, perhaps you are right.  So, I've brought it up
 here:
 http://www.cypherpunks.ca/pipermail/otr-dev/2013-November/001985.html
 (The issue has been brought up before and is being considered, see
 discussion there).

 Still, I must say that even dealing with it in OTR leaves a problem.  We
 have three encryption plugins: OTR, Pidgin-GPG and Pidgin-Encryption.  The
 latter two are quite different from OTR, giving us the ability to leave
 asynchronous messages.  So we need at least one of them.  It would be
 annoying to have each plugin recreate the ability to access our OpenPGP
 cert.  Besides the extra coding, if I use some key for OTR and use the
 same key for Pidgin-GPG (both, on the same account), I have to import it
 twice.  Importing it twice, means my buddy has to verify it twice, once
 for each plugin, even if it's the same account.

 It seems to me what we really need is:

 (1, primary & less complicated) some kind of capacity in pidgin to
 associate a key with a specific account.

 (1.1) Instead of each plugin generating their own keys, we need one key
 generating mechanism.

 (1.2) Instead of each plugin importing OpenPGP keys, wee need one key
 import mechanism.

 (2, secondary and slightly more complicated) When I verify my buddy's key,
 I want to be verifying it in an account, rather than once in OTR and etc
 for the other encryption plugins.  So my buddy's keys should also be
 associated with the account, rather than the plugin.

 Verification is like signing a key, so what this would provide is
 effectively one keychain per account.

 (3, tertiary and difficult) It would be _really_ nice if I could import
 those keys in my gpg keyring whose ID's are associated with an account in
 my contacts list. Then, if a particular key presented by my buddy has a
 trust path in my gpg keyring, then it would be marked in pidgin as
 verified for that account.

 This is pointing to some element of key management in Pidgin - somewhere
 between simple & more elaborate - rather than leaving it to the plugins.

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15805#comment:3>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list