Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

erythrocyte firasmr786 at
Sat Mar 13 08:06:47 CET 2010

On Sat, Mar 13, 2010 at 11:40 AM, Robert J. Hansen <rjh at>wrote:

> > You have an existing credential - a passport.
> > You then use that credential to verify another - a PGP key.
> The passport isn't used to verify the OpenPGP key.  The passport is used to
> verify *identity*.  The key fingerprint is used to verify the OpenPGP key.
> A signature is a statement of "I believe this person is associated with
> this OpenPGP key."  To do that, you have to first verify the person is who
> you think they are (the passport); you have to verify the key is what you
> think it is (the fingerprint); and then you make a statement about the two
> being associated.

I'm a little confused as to how does that make it any different from using
the Pidgin OTR method.

I simply open up an OTR session, ask my friend a question the answer to
which is secret (only known to him) and thereby authenticate that it is in
fact him that I'm talking to. Next, over this secure connection, we exchange
our email-encryption key fingerprints and verify them and then sign them, in
effect stating like you mentioned: "Yes, I believe this person is associated
with this OpenPGP key."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20100313/90f69a3b/attachment.htm>

More information about the Gnupg-users mailing list