Hi,
> If these fingerprints are stored automatically then
it's worthless,
> because it's susceptible to MITM (which was my original
belief).
They are stored, but OTR signals with an icon in the Pidgin
chat window, that
they are unverified (together with a help/information link*)
and in the list
with the known fingerprints and JIDs, the JIDs have the
"Status: Unverified" and
the fingerprint "Verified:no". In the list window
you can decide to verify or to
forget/delete a fingerprint.
*htt
p://www.cypherpunks.ca/otr/help/buttonhelp.php
> If these fingerprints are stored manually after out of
band
> verification then it's secure.
The status of the stored fingerprints change after one of
two (or both)
authentication methods:
- after the exchange of a shared secret/passphrase:
http://www.cypherpunks.ca/otr/help/authenticate.php?l
ang=en
- after the exchange of the fingerprints over another
secured/personal channel
(mailed within a GPG signed e-mail, conversation on the
phone, personal meeting):
http://www.cypherpunks.ca/otr/help/fingerprint.php?lan
g=en
One note: I like Psi's OpenPGP encryption with Jabber, but i
notice, that more
and more of my contacts are using/switching to Pidgin/Adium,
because of their
OTR support and although i don't like Pidgin as a
"Jabber client", i'm testing
Pidgin too ;)
--
Ciao
Kai
http://kairaven.de/
_______________________________________________
Psi-Devel mailing list
Psi-Devel lists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
