Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

Sat Mar 13 07:00:57 CET 2010

> I guess what I'm trying to say here is that because regular people don't
> understand what spoofing actually is, that by itself is a security hole.

Semantics.  A security hole is a way by which the security policy may be violated.  Most people don't bother to think about policy in the first place.  This devolves into a philosophical question of, "is the fact most people don't bother to think about their security policy a way by which their security policy can be violated?"  It turns into a how-many-angels-can-dance-on-the-head-of-a-pin thing.  But it is at the very least a problem and you'll find few people here disagree with that.

> There's no way I could be trained enough to
> recognize spoofing of the latter kind even at a keysigning party.

A serious question here -- have you considered writing Immigration and Customs Enforcement or the Border Patrol (or equivalent groups, wherever you are) and asking them for information on how to distinguish real passports from forgeries?

Most governments are very willing to tell people what to look for.  It's in their best interests for official identity documents to not be forged, and for forgeries to be discovered as quickly as possible.  When I've asked the United States government about this they've always been cooperative.

You'd be amazed what you can learn just by having the chutzpah to walk up to someone who knows and saying, "hi, could you share?"  :)

>    b. I just think the ease with which users can authenticate makes it
>       a good choice. The secret answer method of authenticating is
>       easy for most of my friends to understand.

It is also a far weaker form of authentication than is often recommended for OpenPGP keys.  Not that this makes the technique invalid, but the weaker authentication needs to at least be considered.

> Well, I do think that's such a relative thing. Just because you don't
> notice these kinds of things going on in the place where you live
> doesn't mean they don't happen. How many people actually bother to look?

The United States has 1400 independent daily newspapers, each of whom employ a large number of people whose job it is to look.  On top of that you have groups like the Innocence Project that look for abuses in criminal courts, you have groups like ACCURATE that look for abuses in voting, you have...

The Western tradition of government usually involves a lot of people looking.  This is certainly not to say that abuses don't happen -- they clearly do -- but they do not occur at the frequency many fear.