[OTR-users] Newbie questions about verifying your buddies' fingerprints
Ian Goldberg
ian at cypherpunks.ca
Fri Nov 11 22:53:57 EST 2005
On Fri, Nov 11, 2005 at 10:45:51PM -0500, Benjamin Esham wrote:
> Hello all,
>
> I'm using the OTR plugin for Adium (so I'm using the older version of
> the OTR protocol). The idea of encrypted IMing is great, though I
> haven't yet been able to coerce any of my friends to convert to an
> OTR-capable IM client :-)
>
> My question is this: I should be verifying my buddies' fingerprints
> before I start conversations, right? In other words, is OTR like
> OpenPGP to the extent that I need to verify that the key
> [fingerprint] really belongs to the buddy I think I'm talking to?
> This seems like a standard process for encrypted information
> exchange, but the website says nothing about confirming your buddy's
> fingerprint.
Everything you say is correct. In the new gaim-otr, there's more help
text (both in an expander in the "unknown fingerprint" dialog, as well
as in web-based help reachable from various places in the app) to
explain the process.
> If it is true that you should verify your fingerprints, would it make
> sense (as another poster just asked) to publish my OTR fingerprint
> online, signed by my GPG key?
Yup, that's a perfectly reasonable thing to do. [Make sure to include
your IM name and protocol along with the fingerprint in the signed
message, though.]
> (If /that/'s true, is there any
> particular reason why the window displaying the fingerprint in Adium
> won't allow the fingerprint to be copied, and even disappears when
> switching to another application?)
Can't help you with that; I don't use OS X. Evan's responsible for the
OTR integration in Adium X. Evan, can you speak to this issue?
- Ian
More information about the OTR-users
mailing list