[Security] Gajim 0.12's E2E encryption UI
dmeyer at tzi.de
Thu Aug 21 14:17:14 CDT 2008
Simon Josefsson wrote:
> Each client generate an OpenPGP key for the user when she creates an
> account. Instead of verifying a SAS in your example above, the users
> needs to verify the OpenPGP fingerprint. If a SHA-1 hash is too
> techno-babbly, a human-readable transformation of the fingerprint could
> be used.
Or we use TLS-RSP the first time and use that password to gain the
trust. After that I know it is you and I know your OpenPGP key for the
next time. This makes it possible to use a password only once and use
OpenPGP after that. It could also auto-sign keys with a minimum trust
level once I verified you with RSP.
> Advanced users can configure the client to use their already
> existing OpenPGP key if they want to re-use it for XMPP, which
> allows for re-use of the existing web of trust.
You could also sign your new key with the old one trusting yourself.
The only problem with mornings is that they happen too early in the
More information about the Security