[OTR-dev] Key question

Ian Goldberg ian at cypherpunks.ca
Thu Jan 12 20:21:32 EST 2006 

On Thu, Jan 12, 2006 at 10:39:33PM +0000, Michael Donaghy wrote:
> > Sometimes people ask if this can be done *automatically*, and the answer
> > is "not usually", since most people don't have their IM account names
> > listed on their PGP keys.  How is software to know that the PGP key for
> > "ian at cypherpunks.ca" is the one that should be used to check the
> > signature on the OTR key for "otr4ian on AIM"?
> >
> The same way PGP knows the keys for "martin orr" and "lucinda lynx" are the 
> ones to use for checking the signatures on my key. A pgp signature contains 
> the ID of the signing key, so you can easily use the right key to check it, 
> even downloading it off a keyserver if necessary.

No, no.  Perhaps I wasn't clear.  The problem isn't in figuring out
which PGP key to use to *validate* the signature; as you point out, that
information is carried with the signature.  The problem is in figuring
out which PGP key should be used to *trust* the signature.

For example, I present two PGP-signed OTR keys, both claiming to be a
signature for "roconnor at jabber.org":

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jabber account: roconnor at jabber.org
Fingerprint: E80BB592 1E3B491E FB5E5559 028D6F7C 9128F1A9

AIM account: (Jabber is prefered)
Fingerprint: 3D1F0B07 5A17682B CDB4DB6E 03DB7D45 39B09E9C

MSN account: (Jabber is prefered)
Fingerprint: 00D7B679 5C1BD5E0 3D9DD068 ADDBEA35 E75F9223
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB/MtxLRF4Sn+WLTcRAuQtAJ9RMPwuWAnCdw7DDgD4vdNrFxlb5ACeMkhQ
G1zka43rlhv5w2cs0BIh+JU=
=NVhC
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNED MESSAGE-----

Jabber account: roconnor at jabber.org
Fingerprint: A9D70580 72FC7401 25899589 4CD3CD12 E792C538

AIM account: (Jabber is prefered)
Fingerprint: C5D70FB3 135CB595 F2F31E01 88884CEF BDD73BD9

MSN account: (Jabber is prefered)
Fingerprint: EE2AE8B1 AC6F3210 6F85C697 FE83F039 8D0A390D

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQ8b+OkZRiTErSPb1AQG46wP/T8bs0hPgR/NV0NuKUcIcubd0DJvpLZMW
h7U34ABmtQN6TAMDlgdqxW3e/OPjG6QRnoKEPnrR9RYW+aXil2uLg8U7BRnGecLj
rRljF+VdRQR6jod2MRZFqpl+nULsEqL3iSkxkFM5j90rzT+/uJFsbQS7WRrr1TO4
nusfeIZCZvE=
=B/kX
-----END PGP SIGNATURE-----

It's easy, as you say, to figure out which PGP keys to use to
verify the sigs (and, in fact, both sigs check out).  But what is
roconnor at jabber.org's real OTR fingerprint?  How do you know?

   - Ian

More information about the OTR-dev mailing list