Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

erythrocyte firasmr786 at gmail.com
Fri Mar 12 23:18:44 CET 2010


On 3/13/2010 1:10 AM, MFPA wrote:
>> Each of these adds a given amount of risk, that really should be
>> made transparent to end-users IMHO.
> 
> 
> I think you might mean the risk should be made *clear* to end-users?
> Security is already *transparent* to end users visiting a "secure" website
> whose root certificate the browser already trusts.

I guess you could think of it that way. I guess what I'm trying to say
is that there might be instances where your security requirements aren't
in line with what your browser already trusts. And there has to be a
method to improve that and make it more "clear" / "transparent" / etc.

>> Some belong to well known CAs, while others belong to less reputable
>> ones.
> 
> A lot there that I've not heard of. Could be perfectly reputable, but
> I am unaware of their reputation...

Again 'repute' in this context is relative. People's gold-standards can
vary. I might be comfortable in trusting CA-A because they've actually
never ever screwed up in the past, while I wouldn't feel the same way
with CA-B because they actually have. It all goes back to how you define
your security requirements. Steve Gibson on his podcast, Security Now,
once talked about how a certificate from a well known CA was spoofed
because of a weak hash algorithm that was used in signing.

-- 
erythrocyte



More information about the Gnupg-users mailing list