On 12/29/2014 09:07 AM, Bartosz Małkowski wrote: > I’m thinking if we should add something (optional) to prove that OTR > Key is trusted. I think about something based on for example OpenPGP > signatures: > > ... > > Where signature is for example OpenPGP_Sign(otr_key_hash).
OTR doesn't work this way by design. Signing an OTR key via PGP before verification may give you another channel to determine your trust in the OTR key (assuming you do trust the PGP key used), but it also destroys the deniability of the conversation (unless it were done AFTER the OTR session is already established). Regardless, I think this is out of the scope of what the OTR document would define. —Sam -- Sam Whited pub 4096R/54083AE104EA7AD3 https://blog.samwhited.com
signature.asc
Description: OpenPGP digital signature
