[OTR-users] OTR and CHAT question
Robert Ryan
rbrt_ryn at yahoo.com
Fri Jan 26 17:23:27 EST 2007
Jiann-Ming Su wrote:
> How do you protect the OTR keys from unauthorized use? When I
> initiate an OTR chat now, I'm not asked for any authentication from
> the private keys. What happens if a trusted user's laptop gets
> stolen, or his workstation gets compromised? Can't the
> intruder/untrusted user start a trusted/verfied OTR chat session?
The lack of any authentication and the lack of web of trust for OTR keys
are the main downfalls of the whole system. You need a separate system
to address these problems.
You could use PGP to send the session ID to your contact via signed,
encrypted email. That way you could use PGP's authentication and web of
trust. This wouldn't be very convenient for a group chat.
Alternatively, you could send a signed message via OTR. That way
everyone in the chat would get it. If they can verify your signature
(and they trust your key) they will know it is you.
--
Robert Ryan
Thunderbird + Enigmail + GnuPG
Gaim + OTR
More information about the OTR-users
mailing list