I'm a user of Pidgin with the off-the-record plugin: http://www.cypherpunks.ca/otr/help/3.2.0/levels.php?lang=en http://www.cypherpunks.ca/otr/help/3.2.0/authenticate.php?lang=en
In order to use GPG based email encryption properly, it's important for users to authenticate with each other and verify that the public keys downloaded from the keyservers have fingerprints that match the ones on their respective computers. Typically the securest way to crosscheck fingerprints is via a secure channel such as an in-person meeting. But a phone call comes pretty close too (assuming the fact that it would be difficult to mount a voice man-in-the-middle attack). But what if there was no way to meet in person, make a phone call or a VoIP call. I was wondering if using Pidgin with the OTR plugin (and authenticating the OTR session using the Q&A method; see above link) could be considered a secure channel to exchange and crosscheck GPG key fingerprints in such a case. Any thoughts? _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
