[OTR-dev] Key question

Ian Goldberg ian at cypherpunks.ca
Fri Jan 13 09:34:35 EST 2006


On Fri, Jan 13, 2006 at 10:41:45AM +0000, Michael Donaghy wrote:
> I verify that I'm using the right key the same way I verify that the key I 
> have for either of you is correct (Anyone can make a key with your email 
> address on it) - by using the web of trust. If I knew either of you we would 
> probably have already met and signed each other's keys, if not there would 
> hopefully be some mutual friend who had exchanged key fingerprints with both 
> of us, and so on.

But *neither* PGP key involved in the example lists the address
"roconnor at jabber.org".  Both of the keys are in fact the correct keys
for the people involved.

If (*IF*) you want to use the PGP WoT to sign OTR keys, at a minimum,
you need to add your IM identity as an address to your PGP key, in some
canonical format.  Then people who signed that identity would be able to
automatically trust that key to sign assertions *about the IM identity*.

   - Ian



More information about the OTR-dev mailing list