Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

erythrocyte firasmr786 at gmail.com
Fri Mar 12 23:04:59 CET 2010 

On 3/13/2010 1:01 AM, Robert J. Hansen wrote:
> Sure.  But the problem here isn't spoofed emails.  The problem here is living in an area where basic human rights aren't respected.  The spoofed emails didn't get them convicted: the spoofed emails were cooked up to provide political cover for a conviction that was preordained.
> 
> So I think the statement, "people get convicted ... based on spoofed emails ... all the time" is overreaching.  The basis for their conviction is they're members of a persecuted minority -- not spoofed emails.

Sure, that is such a valid point. I'm a completely new user to GPG, so
do pardon some of my ruminations :-) . I realize they might not be
completely correct.

I guess what I'm trying to say here is that because regular people don't
understand what spoofing actually is, that by itself is a security hole.
The only way to correct something like that is to educate people and to
educate oneself. I also think the word 'spoofing' could apply not just
to emails, but to other things such as forging real-life identities such
as passports, etc as well. There's no way I could be trained enough to
recognize spoofing of the latter kind even at a keysigning party. So as
I begin to use GPG, I'm becoming more and more aware of the limitations
that one has to come across - be they technological or social.

> Which leaves the question unanswered: since OTR exists to provide PFS/R, and you ignore PFS/R, why use OTR?

I actually use Pidgin OTR because

    a. it gives me the PFS/R option if and when I do think that might
       help (realizing its limitations nevertheless).
    b. I just think the ease with which users can authenticate makes it
       a good choice. The secret answer method of authenticating is
       easy for most of my friends to understand.

> If you live in a place that does things like this, they can already throw you in the gulag under any pretense they want...

Well, I do think that's such a relative thing. Just because you don't
notice these kinds of things going on in the place where you live
doesn't mean they don't happen. How many people actually bother to look?

I guess what I'm saying here is that human rights abuses can occur
anywhere and everywhere.

> ... but only by helping you keep information safe between the endpoints... This does not mean GnuPG is defective.  It means you need to understand your problem, your solution, and what tools you need to enact your solution.

I think that that makes perfect sense. :-)


-- 
erythrocyte

More information about the Gnupg-users mailing list