[OTR-users] PGP integration?
Paul Wouters
paul at cypherpunks.ca
Sat Jun 22 12:41:39 EDT 2013
On Sat, 22 Jun 2013, Ximin Luo wrote:
> 1. Unfortunately if I sign my OTR key (a file) using my PGP key in the usual
> way, this creates a non-revocable signature using the "S" ability of the key.
>
> What we really want is to create revocable certification of the OTR key using
> the "C" ability of the key, which is the same thing that's done when signing
> other people's keys (as opposed to files).
I'm writing a draft to put the OTR key in your DNSSEC zone. Revoking
that is done by simply removing the DNS record, or replacing it with a
revoked key.
> 2. I'd like to bring up the issue of UIDs again because without a web-of-trust,
> OTR is stupidly hard to use, since you must verify keys with every single
> recipient. (Man-in-the-middle attacks destroy the credibility of non-verified
> sessions.)
>
> IMO the terminology used is extremely misleading too, e.g. [1] "authenticating
> your buddy helps to ensure that the person you are talking to is who he/she
> claims to be" completely ignores the issue of MitM.
I am confused. It is _exactly_ talking about MITM here?
Paul
More information about the OTR-users
mailing list