[Telepathy] API sketches for encrypted channels, and OTR

[Will Thompson]

On 09/11/09 22:22, Eric Hopper wrote:
> I, for one, think XTLS is potentially a really bad idea.  The security
> model of TLS is wrong and unworkable.  Relying on any kind of trusted
> central authority to verify identity is a bad way to go.

XTLS doesn't intrinsically require you to use a certificate signed by a
trusted CA. If you do, great; if not, well, the UI can present the SSH-
and OTR-style leap of faith prompt. Obviously most people are not going
to have CA-signed certificates, so it's important to support this.

(For those unfamiliar with OTR, it allows you to start an "unverified"
session with a contact immediately, without doing any kind of
authentication of their certificate. If you want, you can choose to
authenticate them by one of the following means:

• Manual out-of-band fingerprint verification;
• Each of you enters a shared secret, and the OTR plugin verifies that
they match;
• You enter a question and a secret answer, and the OTR plugin presents
them with the question and checks if their answer matches.

We should support these in the Telepathy API.)

-- 
Will