[Psi-Devel] Off-the-Record messaging for Psi
dev.akhawe at gmail.com
Mon Oct 15 02:30:07 PDT 2007
> If these fingerprints are stored automatically then it's worthless,
> because it's susceptible to MITM (which was my original belief).
> If these fingerprints are stored manually after out of band
> verification then it's secure.
you mean I will verify the finger prints by the other person's web
page or asking him over the phone?
for e.g this is what happens if you want to install a new root cert
into firefox - Firefox asks you if you want to install the cert , then
you are shown the cert's fingerprint (which the issuing auth asks you
to verify on its web page) and only then you can install it .
Is this how it works in the present implementation? And who generates
these keys ? GPG or the client itself? Who does all the encryption
work , psi or gpg-agent?
More information about the Psi-Devel