Hi, For a few of my contacts, I'm still using an unverified key. I'm getting the impression that the way OTR was implemented, "unverified" was supposed to mean "very little security added - please verify ASAP" and I believe that there's a way to add a middle ground to that.
My proposal is to keep track of the unverified OTR keys and warn the user whenever a new key is seen - so that when I'm talking to somebody whose key I hadn't verified yet, I can see whether I'm just probably being MITMed or whether this person is still using the same key. What do you think about this one? Let me know if this post is any unclear and you'd like to see it rephrased. Cheers, d33tah
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
