Suggestion: keep track of OTR keys in Pidgin
d33tah at gmail.com
Wed Feb 10 08:39:15 EST 2016
For a few of my contacts, I'm still using an unverified key. I'm getting
the impression that the way OTR was implemented, "unverified" was
supposed to mean "very little security added - please verify ASAP" and I
believe that there's a way to add a middle ground to that.
My proposal is to keep track of the unverified OTR keys and warn the
user whenever a new key is seen - so that when I'm talking to somebody
whose key I hadn't verified yet, I can see whether I'm just probably
being MITMed or whether this person is still using the same key.
What do you think about this one? Let me know if this post is any
unclear and you'd like to see it rephrased.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Devel