Suggestion: keep track of OTR keys in Pidgin

Jacek Wielemborek d33tah at
Wed Feb 10 08:39:15 EST 2016


For a few of my contacts, I'm still using an unverified key. I'm getting
the impression that the way OTR was implemented, "unverified" was
supposed to mean "very little security added - please verify ASAP" and I
believe that there's a way to add a middle ground to that.

My proposal is to keep track of the unverified OTR keys and warn the
user whenever a new key is seen - so that when I'm talking to somebody
whose key I hadn't verified yet, I can see whether I'm just probably
being MITMed or whether this person is still using the same key.

What do you think about this one? Let me know if this post is any
unclear and you'd like to see it rephrased.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Devel mailing list