[OTR-dev] session termination

[Paul Wouters]

On Tue, 29 May 2007, Tim wrote:

> Do I understand this correctly? If I go offline, your Gaim OTR will wait
> with the resend, until I go back online?

the message will be "sent" according to gaim, but stored on he IM server.
once you come back and obtain the unreadable message, gaim will renegotiate
and resend.

> What will happen to the message
> when I remain offline for, say, a week? This might well happen when my
> internet connection fails.You certainly will go offline in between.

I believe as long as gaim is running, and the otr sessions has not been closed
, it can resend the last message (or last few).

> If you stay online: What will happen if I change the client? For example
> if I'm chatting at my home PC, which has OTR installed, and then my
> connection gets interrupted. Later I go back online with another client
> on another PC (for example with ICQ2go at work), which doesn't have OTR
> capabilities. Then your Gaim will send me the message encrypted and I
> can't read it.

There will always be ways to shoot yourself in the foot. There are many more
scenarios I can come up where you might lose a message. However in practise,
this never happens to me. I don't use "web clients" (which per definition,
need to obtain your plaintext message, so you can never use OTR with then),
and I don't use IM clients that do not support OTR.

> About the "fallback to plaintext" security problem: You get a message
> when the session stopped and further messages will be sent in plaintext,
> don't you? So you know that you shouldn't send any sensitive information
> anymore.

Now picture I am Alice, and I'm blocking all your encrypted IM's, but not your
plaintext ones. How religious are you with "not sending sensitive information"?
OTR already supports not leaking plaintext messages in its current mechanisms.

I am not sure what kind of "patch" you were suggesting to make to otr. You tell
me?

Paul