integrating OTR keys into PGP key

Daniel Kahn Gillmor dkg at
Wed Nov 2 20:01:58 CET 2011

On 11/02/2011 10:02 AM, Hans-Christoph Steiner wrote:
> That's fully expected, I plan to tackle adding support for this in both Pidgin and Adium.

i'd think that doing this work in libotr would be the first priority,
then adding integrated UI for whatever clients you're using.

> Is there any built-in assumption that user accounts will be in email address form?

OpenPGP certificates are structured like this:

└┬┬╴primary key
 │├┬╴User ID 0
 ││├ self-certification
 ││├ third-party certification
 ││└ ... other third-party certifications ...
 │├┬╴User ID 1
 ││├ self-certification
 ││├ third-party certification
 ││└ ... other third-party certifications ...
 │└ ... other User IDs ...
 ├┬╴subkey 0
 │└ self-certification
 ├┬╴subkey 1
 │└ self-certification
 └ ... other subkeys ...

Note that the User IDs are bound directly to the primary key, and the
subkeys are also bound directly to the primary key.  Subkeys are *not*
directly associated with specific User IDs.

There is no requirement that User IDs be in RFC 822 form; that's just a
common convention.  Note that the monkeysphere already uses User IDs for
servers of the form "ssh://" (certainly not an e-mail
address), and gpg copes with that just fine.

I suspect what you'll want is to add a subkey that is marked as
authentication-capable, and that will be the key used for OTR.  You may
also want to add a notation to the subkey self-sig that indicates it is
for OTR use.

Then, you'll want to think clearly about how you want to represent the
various instant-messaging transports as User IDs.  You probably want
them to be canonical and unambiguous.  (e.g. don't use "foo at AIM", since
it's possible that a future TLD named "aim" could be allocated by the
IANA -- maybe "aim:exampleuser" is better?)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111102/72904fb8/attachment.pgp>

More information about the Gnupg-devel mailing list