larma, everything's working so far. But I have further questions.
Yagizа
larma, are there any suggestions about trust management? I don't really understand how to implement it within OMEMO, if Signal Protocol trust management mechanism is not recommended.
alexishas left
alexishas joined
Yagizа
larma, what about "kex" atribute of "key" element? Now I just treat it as a replacement for "prekey" attribute in old versions of OMEMO. Is that correct?
pulkomandyhas left
pulkomandyhas joined
neustradamushas left
pulkomandyhas left
pulkomandyhas joined
sonnyhas left
sonnyhas joined
pulkomandyhas left
pulkomandyhas joined
Meta Bergmanhas left
larma
Yagizа: Yes kex is what prekey was before. For trust management, you should probably realize an implementation of BTBV https://gultsch.de/trust.html
jonas’
BTBV, the UX nightmare
gavhas left
gavhas joined
Marchas joined
lovetox_has joined
larma
jonas’: why?
jonas’
larma, "hey scan my QR code, that’s going to be faster than typing a JID" -- and now you have to verify all future keys of that contact
jonas’
this is a hyperbolic example of the (for the user) non-obvious implications in BTBV
larma
Well... that's just an issue of Conversations
larma
It's not an inherent issue of BTBV
pulkomandyhas left
pulkomandyhas joined
larma
The verification step should always be visible to the user and also users should be able to reenable blind trust if it wasn't their intent to disable it when verifying a device
larma
Just look at how Dino did it ;)
flow
isn't that just the good old question of where the sweet spot between security and UX is?
jonas’
yes
jonas’
it is
jonas’
though the BT in BTBV is also a security nightmare :)
Yagizа
larma, ok, thanx.
flow
and the answer is probably: it depends on what you want, there is not that one single sweet spot
jonas’
BTBV is IMO an attempt to have the cake and eat it, which doesn’t quite work
larma
UX secret: don't pop up with a new window to verify fingerprint when sending a message and then automatically close it when blind trust is enabled.
UX secret: don’t pop up a window (unless in response to an action of the user) ✏
larma
jonas’: but the user pressed send :D
Ge0rG
Chromium always pops up the "do you want to sign in" popup when I open a random twitter link. I *HATE* it
jonas’
yeah, that was a stab at pidgin which’ll spam me with fun popup windows on some kind of spam
Yagizа
larma, BTW, what about fingerprints? Do I have to change something in fingerprint generation algorithm? Or should I use the same, used with old version?
larma
Yagizа: you just have to make sure you are generating the fingerprint from the curve25519 and not the ed25519 key
Yagizа
larma, and how can I get that curve25519 key?
Yagizа
larma, ratchet_identity_key_pair_get_public() will return ed25519 key when v4 is used, right?
larma
All `ec_public_key` are now both ed25519 and curve25519 public keys
larma
If you used `ec_public_key_serialize()` before to generate the fingerprint (by removing its first byte) it should still work
larma
You can also directly get it using `ec_public_key_get_mont()`
larma
Yagizа: Also note that in the bundle that is stored on pep, you should now use the ed25519 key (which you get by `ec_public_key_get_ed`)✎
larma
Yagizа: Also note that in the bundle that is stored on pep, you should now use the ed25519 key in <ik> (which you get by `ec_public_key_get_ed`) ✏
Yagizа
larma, ok, thank you!
kikuchiyohas joined
sonnyhas left
sonnyhas joined
Yagizа
larma, so, I should use ec_public_key_serialize() for fingerprint generation and ec_public_key_get_ed for getting data to publish in bundles?
larma
You can also use `get_mont` for fingerprints, it's the same as `serialize` just without the leading byte
larma
But yes, `get_ed` for bundles
Yagizа
larma, IC. So, I don't need ec_public_key_serialize() at all?
paulhas left
paulhas joined
pulkomandyhas left
pulkomandyhas joined
Yagizа
larma, and... how can I use IdentityKey, which I extract from bundles information? Now I just store it in local variable, but I don't see any use for it.
Yagizа
larma, should I somehow process it?
kikuchiyohas left
kikuchiyohas joined
kikuchiyohas left
etahas left
etahas joined
debaclehas joined
asterixhas joined
strarhas left
lovetox_has left
sonnyhas left
edhelashas left
lovetox_has joined
edhelashas joined
strarhas joined
pulkomandyhas left
pulkomandyhas joined
debaclehas left
kikuchiyohas joined
lovetox_has left
larma
Yagizа: Well you probably want to give the user the option to trust a key even before opening a session with it.
Martinhas left
Martinhas joined
kikuchiyohas left
kikuchiyohas joined
lovetox_has joined
pulkomandyhas left
pulkomandyhas joined
lovetox_has left
lovetoxhas left
neustradamushas joined
Neustradamushas joined
Yagizа
larma, IC. So, how can I get fingerprint from the ed25519 key, extracted from bundle data, received over XMPP?
Zashhas left
sonnyhas joined
Zashhas joined
larma
Yagizа, you can use `curve_decode_point` on the key from the bundle to get an `ec_public_key`