Using the OTR plugin with Pidgin for verifying GPG public key fingerprints
Doug Barton
dougb at dougbarton.us
Fri Mar 12 06:24:26 CET 2010
On 3/11/2010 12:20 AM, erythrocyte wrote:
> But what if there was no way to meet in person, make a phone call or a
> VoIP call. I was wondering if using Pidgin with the OTR plugin (and
> authenticating the OTR session using the Q&A method; see above link)
> could be considered a secure channel to exchange and crosscheck GPG key
> fingerprints in such a case.
"Secure" in this context is a relative term. (Note, I'm a long time user
of pidgin+OTR and a longer-time user of PGP, so I'm actually familiar
with what you're proposing.) If you know the person you're IM'ing well
enough, you can do a pretty good job of validating their OTR
fingerprint. But how "secure" that is depends on your threat model. Are
you going to be encrypting sensitive financial data? Fruit cake recipes?
Blueprints for nuclear weapons? Is the security of your communication
something that you're wagering your life (or the lives of others) on? Is
your communication of high enough value that your associate could have a
gun to their head held by someone who is forcing them to answer your OTR
questions truthfully? (Remember, you can't see them, or hear stress in
their voice, you can only see what they type.) Have you and your
associate pre-established a code question to handle the gun-to-the-head
scenario?
Hopefully that's enough questions to illustrate the point. :)
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the Gnupg-users
mailing list