Re: [Ekiga-devel-list] New features in CVS.



On Wed, Sep 06, 2006 at 08:37:52AM +0200, Daniel Smertnig wrote:
> On 9/5/06, simon <simon mungewell org> wrote:
> > How is it going to communicate the authentication string (the one you
> > are supposed to audiably confirm with your call partner)?
> 
> Currently I intend to show a dialog box that explains to the user that
> an encrypted connection was established and lets him confirm the SAS.
> It should not be necessary to display the SAS in later sessions, but
> one could probably give the user access to it by clicking the
> (planned) padlock icon in case he wants to verify it again, for
> whatever reason.
> 
> My current dialog designs are at:
> http://smertnig.textdriven.com/sas_buttons.png
> http://smertnig.textdriven.com/sas_radios.png
> 

Hi,
Personally I prefer the 'buttons' one. The 'Ask again Later' 
should be a tick box and have an alternative location within the config so 
that it can be turned back on - maybe just when the padlock is clicked...

Hovering over the padlock could 'pop up' the SAS.

[Techically the SAS does not confirm that someone is not listening in (as
they could steal the session key a different way and then be able to
decode the ZRTP stream).... it prevents 'Man in the Middle' attacks.]


You should also model the window which would appear if there is
'tampering' detected (partner cert does not match previous call etc).

---
"Ekiga has detected a change to your partner's security data. This could
mean that they have re-configured their application, or that there is a
security attack in progress."

Show SAS and present options - Hang-Up, Use Anyway, Save New Values?
Also with the 'Ask again Later' tick box.
---

You may want 'Use Anyway' as they may be using a different computer from 
last time (maybe on vacation, etc) and you might want to keep the validation
data for the next call with their normal set-up.

And along the same lines it would be nice to have a 'Clear Privacy Data'
in much the same way that mozilla has (should clear the certs as well as
the call logs).

Good Job!
Simon.

PS Never store the session key to disk!!!! and use an encrypted swap
file ;-)




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]