[OTR-dev] Key question
Michael Donaghy
otr at sdonag.plus.com
Fri Jan 13 13:32:48 EST 2006
On Friday 13 Jan 2006 14:34, Ian Goldberg wrote:
> On Fri, Jan 13, 2006 at 10:41:45AM +0000, Michael Donaghy wrote:
> > I verify that I'm using the right key the same way I verify that the key
> > I have for either of you is correct (Anyone can make a key with your
> > email address on it) - by using the web of trust. If I knew either of you
> > we would probably have already met and signed each other's keys, if not
> > there would hopefully be some mutual friend who had exchanged key
> > fingerprints with both of us, and so on.
>
> But *neither* PGP key involved in the example lists the address
> "roconnor at jabber.org". Both of the keys are in fact the correct keys
> for the people involved.
So? It doesn't matter which of you signs the OTR key, as long as I trust
whoever it is. If I've got your signature on the statement
Jabber account: roconnor at jabber.org
Fingerprint: E80BB592 1E3B491E FB5E5559 028D6F7C 9128F1A9
then it doesn't matter whether that account belongs to you - I trust you that
that key belongs to that account, and I will use the key with that
fingerprint when talking to roconnor at jabber.org, whoever that is. (If I
didn't think you were reliable when signing other people's keys, your key
wouldn't be set as trusted. I suppose the downside of this is that I need to
set you as trusted in order to have a valid signature on your own IM key -
but if I don't trust you to sign keys correctly, I probably don't trust you
to give me a correct IM address)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20060113/7f1e7852/attachment.pgp>
More information about the OTR-dev
mailing list