Jacek Wielemborek: > My proposal is to keep track of the unverified OTR keys and warn the > user whenever a new key is seen - so that when I'm talking to somebody > whose key I hadn't verified yet, I can see whether I'm just probably > being MITMed or whether this person is still using the same key. >
Does it not do that already? I'm pretty sure I've seen UI notices to that effect in pidgin. They are in the main conversation window with the rest of your contact's messages, as opposed to being a big fat warning dialog box. I guess that's to not scare users too much. It is true that even this sort of tracking is quite basic though. A more complex idea would be to automatically verify keys via pre-existing verified keys, but this should really be part of a central contacts manager outside of OTR, and could take advantage of whatever secure protocols are available. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
