OTR meeting notes - Tails hackfest in Paris 2014

Attendees: - jvoisin - infinity0 - dgoulet - drwhax - vmon

1) Modern cryptography

Migrating current OTR protocol to use modern cryptography. We would like to replace the DSA signature to "ed25519". The DH exchange should be replaced by "curve25519". libgcrypt supports ed25519 since version 1.6 (package libgcrypt20). The curve25519 is unclear if it's merged or a work in progress.

The new key(s) should be derived from the old one so users can keep their current fingerprint.

For that, we discussed the need to cross sign keys for the transition.

Also, should chacha20 and/or poly1305 should be considered as well? No one had a strong opinion on that.

A proposal of these changes should be written first before any code starts and Acked-by maintainers/developers/contributors off the community.

2) Tests suite

You can find here a branch of the test suite started by dgoulet which contains some basic unit tests now integrated with libtap.

(branch: test-suites)

We agree that an "OTR fuzzer" would be great also to basically hunt bug and also be able to add this to a continious integration system.

There is a bunch of open bugs/features on https://bugs.otr.im/projects/libotr/issues that we need to tackle but we all agree that we should first make the test suite with a descent code coverage so we can actually confirm that what we are fixing/implementing is not breaking anything.

Once we have that, there is some kniffing to do especially on some part of the internal ABI (for instance, second comments of this https://bugs.otr.im/issues/23). Memory allocation used without checks, stuff like that. Mostly this kniffing would be simply to improve the code to make it more easily maintainable and robust.

3) OTR.im

We have a twitter account now to tweet about some stuff that's going on in the OTR community I guess and news/update... So send anything you think might be worth tweeting :).


Also, we discussed having more action on the blog (https://otr.im/blog) especially maybe putting a "Call to action" for testing.

A new git repository containing the specifications would be a good idea to create so we can have people looking at the progress of the modern crypto spec. for instance.