[OTR-users] OTR and CHAT question
Alex
alex323 at gmail.com
Fri Jan 26 17:42:16 EST 2007
On Fri, 26 Jan 2007 15:23:27 -0700
Robert Ryan <rbrt_ryn at yahoo.com> wrote:
> Jiann-Ming Su wrote:
> > How do you protect the OTR keys from unauthorized use? When I
> > initiate an OTR chat now, I'm not asked for any authentication from
> > the private keys. What happens if a trusted user's laptop gets
> > stolen, or his workstation gets compromised? Can't the
> > intruder/untrusted user start a trusted/verfied OTR chat session?
>
> The lack of any authentication and the lack of web of trust for OTR
> keys are the main downfalls of the whole system. You need a separate
> system to address these problems.
I think what he meant was that the user should have to decrypt the
private key in order to start a chat. I dislike webs of trust
because they become entangled and chaotic (revocation certificates, and
all that other garbage). However I do think that an encrypted private
key would be a step in the right direction to protect against stolen
laptops.
--
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20070126/374a88f3/attachment.pgp>
More information about the OTR-users
mailing list