Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

Doug Barton dougb at
Fri Mar 12 21:44:47 CET 2010

On 3/11/2010 11:36 PM, erythrocyte wrote:
> On 3/12/2010 10:54 AM, Doug Barton wrote:
>> "Secure" in this context is a relative term. (Note, I'm a long time user
>> of pidgin+OTR and a longer-time user of PGP, so I'm actually familiar
>> with what you're proposing.) If you know the person you're IM'ing well
>> enough, you can do a pretty good job of validating their OTR
>> fingerprint. But how "secure" that is depends on your threat model. Are
>> you going to be encrypting sensitive financial data? Fruit cake recipes?
>> Blueprints for nuclear weapons? Is the security of your communication
>> something that you're wagering your life (or the lives of others) on?
> Hmmm...if I understand it correctly, if and when the OTR session is
> fully verified/authenticated it doesn't matter what the content of the
> data you transmit is. It could be any of the above - fruit cake recipes,
> financial data, et al.

You posited a scenario where you are using OTR communications to verify
a PGP key. My assumption (and pardon me if it was incorrect) was that
you had a security-related purpose in mind for the verified key.



	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!

More information about the Gnupg-users mailing list