[OTR-dev] Key question
Michael Donaghy
otr at sdonag.plus.com
Fri Jan 13 05:41:45 EST 2006
On Friday 13 Jan 2006 01:21, Ian Goldberg wrote:
> On Thu, Jan 12, 2006 at 10:39:33PM +0000, Michael Donaghy wrote:
> > > Sometimes people ask if this can be done *automatically*, and the
> > > answer is "not usually", since most people don't have their IM account
> > > names listed on their PGP keys. How is software to know that the PGP
> > > key for "ian at cypherpunks.ca" is the one that should be used to check
> > > the signature on the OTR key for "otr4ian on AIM"?
> >
> > The same way PGP knows the keys for "martin orr" and "lucinda lynx" are
> > the ones to use for checking the signatures on my key. A pgp signature
> > contains the ID of the signing key, so you can easily use the right key
> > to check it, even downloading it off a keyserver if necessary.
>
> No, no. Perhaps I wasn't clear. The problem isn't in figuring out
> which PGP key to use to *validate* the signature; as you point out, that
> information is carried with the signature. The problem is in figuring
> out which PGP key should be used to *trust* the signature.
>
> For example, I present two PGP-signed OTR keys, both claiming to be a
> signature for "roconnor at jabber.org":
>
<snip>
>
> It's easy, as you say, to figure out which PGP keys to use to
> verify the sigs (and, in fact, both sigs check out). But what is
> roconnor at jabber.org's real OTR fingerprint? How do you know?
>
I verify that I'm using the right key the same way I verify that the key I
have for either of you is correct (Anyone can make a key with your email
address on it) - by using the web of trust. If I knew either of you we would
probably have already met and signed each other's keys, if not there would
hopefully be some mutual friend who had exchanged key fingerprints with both
of us, and so on.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20060113/43956f3e/attachment.pgp>
More information about the OTR-dev
mailing list