On Sat, 22 Jun 2013, Ximin Luo wrote:
1. Unfortunately if I sign my OTR key (a file) using my PGP key in the usual
way, this creates a non-revocable signature using the "S" ability of the key.
What we really want is to create revocable certification of the OTR key using
the "C" ability of the key, which is the same thing that's done when signing
other people's keys (as opposed to files).
I'm writing a draft to put the OTR key in your DNSSEC zone. Revoking
that is done by simply removing the DNS record, or replacing it with a
revoked key.
2. I'd like to bring up the issue of UIDs again because without a web-of-trust,
OTR is stupidly hard to use, since you must verify keys with every single
recipient. (Man-in-the-middle attacks destroy the credibility of non-verified
sessions.)
IMO the terminology used is extremely misleading too, e.g. [1] "authenticating
your buddy helps to ensure that the person you are talking to is who he/she
claims to be" completely ignores the issue of MitM.
I am confused. It is _exactly_ talking about MITM here?
Paul
_______________________________________________
OTR-users mailing list
[email protected]
http://lists.cypherpunks.ca/mailman/listinfo/otr-users
