[OTR-dev] Key question

Ian Goldberg ian at cypherpunks.ca
Thu Jan 12 12:00:00 EST 2006


On Thu, Jan 12, 2006 at 04:00:39PM +0100, Mattias Eriksson wrote:
> I looked at the gaim-otr plugin, and this is a very nice thing. But why
> doesn't you use existing pgp-keys/trustdatabase? This way an
> organization needs to do the keysigning procedure all over... or most
> probably asume that the key is the right one (like everybody currently
> are doing with unknown ssh hosts).
> 
> Are there any plans of adding the possibility to use existing pgpkeys?

You can do this today.  For example, http://www.r6.ca/russellotr.asc
As always, you can leverage an existing trust mechanism to build
another.  Just sign your OTR keys with your PGP key, and put it online
somewhere.  Then anyone that trusts your PGP key can learn your OTR key
in a verifiable way.

Sometimes people ask if this can be done *automatically*, and the answer
is "not usually", since most people don't have their IM account names
listed on their PGP keys.  How is software to know that the PGP key for
"ian at cypherpunks.ca" is the one that should be used to check the
signature on the OTR key for "otr4ian on AIM"?

   - Ian



More information about the OTR-dev mailing list