Simon Josefsson wrote: > Each client generate an OpenPGP key for the user when she creates an > account. Instead of verifying a SAS in your example above, the users > needs to verify the OpenPGP fingerprint. If a SHA-1 hash is too > techno-babbly, a human-readable transformation of the fingerprint could > be used.
Or we use TLS-RSP the first time and use that password to gain the trust. After that I know it is you and I know your OpenPGP key for the next time. This makes it possible to use a password only once and use OpenPGP after that. It could also auto-sign keys with a minimum trust level once I verified you with RSP. > Advanced users can configure the client to use their already > existing OpenPGP key if they want to re-use it for XMPP, which > allows for re-use of the existing web of trust. You could also sign your new key with the old one trusting yourself. Dirk -- The only problem with mornings is that they happen too early in the day.
