Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

erythrocyte firasmr786 at
Thu Mar 11 09:20:08 CET 2010

I'm a user of Pidgin with the off-the-record plugin:

In order to use GPG based email encryption properly, it's important for
users to authenticate with each other and verify that the public keys
downloaded from the keyservers have fingerprints that match the ones on
their respective computers. Typically the securest way to crosscheck
fingerprints is via a secure channel such as an in-person meeting. But a
phone call comes pretty close too (assuming the fact that it would be
difficult to mount a voice man-in-the-middle attack).

But what if there was no way to meet in person, make a phone call or a
VoIP call. I was wondering if using Pidgin with the OTR plugin (and
authenticating the OTR session using the Q&A method; see above link)
could be considered a secure channel to exchange and crosscheck GPG key
fingerprints in such a case.

Any thoughts?

More information about the Gnupg-users mailing list