Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

Doug Barton dougb at
Fri Mar 12 06:24:26 CET 2010

On 3/11/2010 12:20 AM, erythrocyte wrote:
> But what if there was no way to meet in person, make a phone call or a
> VoIP call. I was wondering if using Pidgin with the OTR plugin (and
> authenticating the OTR session using the Q&A method; see above link)
> could be considered a secure channel to exchange and crosscheck GPG key
> fingerprints in such a case.

"Secure" in this context is a relative term. (Note, I'm a long time user 
of pidgin+OTR and a longer-time user of PGP, so I'm actually familiar 
with what you're proposing.) If you know the person you're IM'ing well 
enough, you can do a pretty good job of validating their OTR 
fingerprint. But how "secure" that is depends on your threat model. Are 
you going to be encrypting sensitive financial data? Fruit cake recipes? 
Blueprints for nuclear weapons? Is the security of your communication 
something that you're wagering your life (or the lives of others) on? Is 
your communication of high enough value that your associate could have a 
gun to their head held by someone who is forcing them to answer your OTR 
questions truthfully? (Remember, you can't see them, or hear stress in 
their voice, you can only see what they type.) Have you and your 
associate pre-established a code question to handle the gun-to-the-head 

Hopefully that's enough questions to illustrate the point. :)



	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!

More information about the Gnupg-users mailing list