Yagizаlarma, everything's working so far. But I have further questions.
Yagizаlarma, are there any suggestions about trust management? I don't really understand how to implement it within OMEMO, if Signal Protocol trust management mechanism is not recommended.
alexishas left
alexishas joined
Yagizаlarma, what about "kex" atribute of "key" element? Now I just treat it as a replacement for "prekey" attribute in old versions of OMEMO. Is that correct?
pulkomandyhas left
pulkomandyhas joined
neustradamushas left
pulkomandyhas left
pulkomandyhas joined
sonnyhas left
sonnyhas joined
pulkomandyhas left
pulkomandyhas joined
Meta Bergmanhas left
larmaYagizа: Yes kex is what prekey was before. For trust management, you should probably realize an implementation of BTBV https://gultsch.de/trust.html
jonas’BTBV, the UX nightmare
gavhas left
gavhas joined
Marchas joined
lovetox_has joined
larmajonas’: why?
jonas’larma, "hey scan my QR code, that’s going to be faster than typing a JID" -- and now you have to verify all future keys of that contact
jonas’this is a hyperbolic example of the (for the user) non-obvious implications in BTBV
larmaWell... that's just an issue of Conversations
larmaIt's not an inherent issue of BTBV
pulkomandyhas left
pulkomandyhas joined
larmaThe verification step should always be visible to the user and also users should be able to reenable blind trust if it wasn't their intent to disable it when verifying a device
larmaJust look at how Dino did it ;)
flowisn't that just the good old question of where the sweet spot between security and UX is?
jonas’yes
jonas’it is
jonas’though the BT in BTBV is also a security nightmare :)
Yagizаlarma, ok, thanx.
flowand the answer is probably: it depends on what you want, there is not that one single sweet spot
jonas’BTBV is IMO an attempt to have the cake and eat it, which doesn’t quite work
larmaUX secret: don't pop up with a new window to verify fingerprint when sending a message and then automatically close it when blind trust is enabled.
jonas’UX secret: don’t pop up a window (unless in response to an action of the user) ✏
larmajonas’: but the user pressed send :D
Ge0rGChromium always pops up the "do you want to sign in" popup when I open a random twitter link. I *HATE* it
jonas’yeah, that was a stab at pidgin which’ll spam me with fun popup windows on some kind of spam
Yagizаlarma, BTW, what about fingerprints? Do I have to change something in fingerprint generation algorithm? Or should I use the same, used with old version?
larmaYagizа: you just have to make sure you are generating the fingerprint from the curve25519 and not the ed25519 key
Yagizаlarma, and how can I get that curve25519 key?
Yagizаlarma, ratchet_identity_key_pair_get_public() will return ed25519 key when v4 is used, right?
larmaAll `ec_public_key` are now both ed25519 and curve25519 public keys
larmaIf you used `ec_public_key_serialize()` before to generate the fingerprint (by removing its first byte) it should still work
larmaYou can also directly get it using `ec_public_key_get_mont()`
larmaYagizа: Also note that in the bundle that is stored on pep, you should now use the ed25519 key (which you get by `ec_public_key_get_ed`)✎
larmaYagizа: Also note that in the bundle that is stored on pep, you should now use the ed25519 key in <ik> (which you get by `ec_public_key_get_ed`) ✏
Yagizаlarma, ok, thank you!
kikuchiyohas joined
sonnyhas left
sonnyhas joined
Yagizаlarma, so, I should use ec_public_key_serialize() for fingerprint generation and ec_public_key_get_ed for getting data to publish in bundles?
larmaYou can also use `get_mont` for fingerprints, it's the same as `serialize` just without the leading byte
larmaBut yes, `get_ed` for bundles
Yagizаlarma, IC. So, I don't need ec_public_key_serialize() at all?
paulhas left
paulhas joined
pulkomandyhas left
pulkomandyhas joined
Yagizаlarma, and... how can I use IdentityKey, which I extract from bundles information? Now I just store it in local variable, but I don't see any use for it.
Yagizаlarma, should I somehow process it?
kikuchiyohas left
kikuchiyohas joined
kikuchiyohas left
etahas left
etahas joined
debaclehas joined
asterixhas joined
strarhas left
lovetox_has left
sonnyhas left
edhelashas left
lovetox_has joined
edhelashas joined
strarhas joined
pulkomandyhas left
pulkomandyhas joined
debaclehas left
kikuchiyohas joined
lovetox_has left
larmaYagizа: Well you probably want to give the user the option to trust a key even before opening a session with it.
Martinhas left
Martinhas joined
kikuchiyohas left
kikuchiyohas joined
lovetox_has joined
pulkomandyhas left
pulkomandyhas joined
lovetox_has left
lovetoxhas left
neustradamushas joined
Neustradamushas joined
Yagizаlarma, IC. So, how can I get fingerprint from the ed25519 key, extracted from bundle data, received over XMPP?
Zashhas left
sonnyhas joined
Zashhas joined
larmaYagizа, you can use `curve_decode_point` on the key from the bundle to get an `ec_public_key`