[Psi-Devel] Off-the-Record messaging for Psi
kara.ml at arcor.de
kara.ml at arcor.de
Sun Oct 14 23:49:07 PDT 2007
Hi,
> If these fingerprints are stored automatically then it's worthless,
> because it's susceptible to MITM (which was my original belief).
They are stored, but OTR signals with an icon in the Pidgin chat window, that
they are unverified (together with a help/information link*) and in the list
with the known fingerprints and JIDs, the JIDs have the "Status: Unverified" and
the fingerprint "Verified:no". In the list window you can decide to verify or to
forget/delete a fingerprint.
*http://www.cypherpunks.ca/otr/help/buttonhelp.php
> If these fingerprints are stored manually after out of band
> verification then it's secure.
The status of the stored fingerprints change after one of two (or both)
authentication methods:
- after the exchange of a shared secret/passphrase:
http://www.cypherpunks.ca/otr/help/authenticate.php?lang=en
- after the exchange of the fingerprints over another secured/personal channel
(mailed within a GPG signed e-mail, conversation on the phone, personal meeting):
http://www.cypherpunks.ca/otr/help/fingerprint.php?lang=en
One note: I like Psi's OpenPGP encryption with Jabber, but i notice, that more
and more of my contacts are using/switching to Pidgin/Adium, because of their
OTR support and although i don't like Pidgin as a "Jabber client", i'm testing
Pidgin too ;)
--
Ciao
Kai
http://kairaven.de/
More information about the Psi-Devel
mailing list