From daniel.carrera@zmsl.com Mon May 1 13:19:10 2006 From: daniel.carrera@zmsl.com (Daniel Carrera) Date: Mon, 01 May 2006 13:19:10 +0100 Subject: [OTR-users] OTR and Gaim on IRC Message-ID: <4455FCBE.8090401@zmsl.com> Hello, Does the OTR Gaim plugin work on private IRC chats? Yes, I know that OTR can't possibly work for a channel. But I don't know enough about the IRC protocol to know if it should work for a private IRC chat. I know it works with Jabber. Should I get a Jabber account instead of using IRC? Thanks for the help. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ ...and starting today, all passwords must \/_/ contain letters, numbers, doodles, sign / language and squirrel noises. From ian@cypherpunks.ca Wed May 3 13:00:04 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Wed, 3 May 2006 08:00:04 -0400 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <4455FCBE.8090401@zmsl.com> References: <4455FCBE.8090401@zmsl.com> Message-ID: <20060503120004.GP8086@smtp.paip.net> On Mon, May 01, 2006 at 01:19:10PM +0100, Daniel Carrera wrote: > Hello, > > Does the OTR Gaim plugin work on private IRC chats? > > Yes, I know that OTR can't possibly work for a channel. But I don't know > enough about the IRC protocol to know if it should work for a private > IRC chat. > > I know it works with Jabber. Should I get a Jabber account instead of > using IRC? IRC is the only IM protocol (that I know of) that OTR doesn't work over, because of IRC's really really small message sizes. Once fragmentation support is in, though, it ought to work. - Ian From daniel.carrera@zmsl.com Wed May 3 13:12:55 2006 From: daniel.carrera@zmsl.com (Daniel Carrera) Date: Wed, 03 May 2006 13:12:55 +0100 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <20060503120004.GP8086@smtp.paip.net> References: <4455FCBE.8090401@zmsl.com> <20060503120004.GP8086@smtp.paip.net> Message-ID: <44589E47.4060704@zmsl.com> Ian Goldberg wrote: > IRC is the only IM protocol (that I know of) that OTR doesn't work over, > because of IRC's really really small message sizes. Once fragmentation > support is in, though, it ought to work. Thanks. Ok, I'll go and use Jabber. Thanks for making OTR! Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ ...and starting today, all passwords must \/_/ contain letters, numbers, doodles, sign / language and squirrel noises. From alex323@gmail.com Wed May 3 20:12:52 2006 From: alex323@gmail.com (Alex) Date: Wed, 03 May 2006 15:12:52 -0400 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <20060503120004.GP8086@smtp.paip.net> References: <4455FCBE.8090401@zmsl.com> <20060503120004.GP8086@smtp.paip.net> Message-ID: <445900B4.4090201@gmail.com> Speaking of fragmentation support, what specifically needs to be fixed with my patch? I am still interested in implementing this feature and would like to do it correctly. Ian Goldberg wrote: >On Mon, May 01, 2006 at 01:19:10PM +0100, Daniel Carrera wrote: > > >>Hello, >> >>Does the OTR Gaim plugin work on private IRC chats? >> >>Yes, I know that OTR can't possibly work for a channel. But I don't know >>enough about the IRC protocol to know if it should work for a private >>IRC chat. >> >>I know it works with Jabber. Should I get a Jabber account instead of >>using IRC? >> >> > >IRC is the only IM protocol (that I know of) that OTR doesn't work over, >because of IRC's really really small message sizes. Once fragmentation >support is in, though, it ought to work. > > - Ian >_______________________________________________ >OTR-users mailing list >OTR-users@lists.cypherpunks.ca >http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From ian@cypherpunks.ca Wed May 3 22:55:36 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Wed, 3 May 2006 17:55:36 -0400 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <445900B4.4090201@gmail.com> References: <4455FCBE.8090401@zmsl.com> <20060503120004.GP8086@smtp.paip.net> <445900B4.4090201@gmail.com> Message-ID: <20060503215536.GR8086@smtp.paip.net> On Wed, May 03, 2006 at 03:12:52PM -0400, Alex wrote: > Speaking of fragmentation support, what specifically needs to be fixed > with my patch? I am still interested in implementing this feature and > would like to do it correctly. As I said, I'd take a look at it after CFP (where I am now). - Ian From noah_spam@cox.net Thu May 4 05:20:43 2006 From: noah_spam@cox.net (Noah Spam) Date: Wed, 03 May 2006 21:20:43 -0700 Subject: [OTR-users] configure: error: glib Message-ID: <1146716443.13328.28.camel@localhost> I am having a problem compiling gaim-otr-3.0.0 under SuSE 10.0. Here is what I am entering and what I get out: noah_spam@Susan:~/Downloads/gaim/gaim-otr-3.0.0> aclocal -I ./ noah_spam@Susan:~/Downloads/gaim/gaim-otr-3.0.0> ./configure --prefix=/usr --mandir=/usr/share/man ... ... ... checking for glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0... configure: error: glib ./configure: line 19502: exit: gtk: numeric argument required ./configure: line 19502: exit: gtk: numeric argument required noah_spam@Susan:~/My Downloads/gaim/gaim-otr-3.0.0> pkg-config --libs "glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0" Package gaim was not found in the pkg-config search path. Perhaps you should add the directory containing `gaim.pc' to the PKG_CONFIG_PATH environment variable No package 'gaim' found But I DO have the -devel packages installed. YaST2 reports: glib2-devel 2.1.8-3 gtk2-devel 2.8.3-4.3 and I have... gaim 1.5.0-3 Regarding line 19502, it looks like a bug to me.This is what it says: { (exit gtk and gaim required); exit gtk and gaim required; }; } I think that is buggy. It should (please correct me if I am wrong) say something like: { (echo "gtk and gaim required"); exit 1; }; } Going throught the email archinves, it appears that I am not the first with this issue: (http://lists.cypherpunks.ca/pipermail/otr-users/2005-December/000498.html ) Unfortuantely, I don't know what the solution is. Perhaps an environment variable not set correctly? (reference: http://lists.cypherpunks.ca/pipermail/otr-users/2006-February/000562.html ) What environment variables are wrong? My related ones, that I could find, are: GTK_PATH=/usr/local/lib/gtk-2.0:/opt/gnome/lib/gtk-2.0:/usr/lib/gtk-2.0 GTK2_RC_FILES=/etc/opt/gnome/gtk-2.0/gtkrc:/opt/gnome/share/themes//Qt/gtk-2.0/gtkrc:/home/noah_spam/.gtkrc-2.0-qtengine:/home/noah_spam/.kde/share/config/gtkrc-2.0 GTK_RC_FILES=/etc/opt/gnome/gtk/gtkrc:/home/noah_spam/.gtkrc:/home/noah_spam/.kde/share/config/gtkrc ACLOCAL_FLAGS=-I /opt/gnome/share/aclocal So how do I compile and install this plugin? Thanks, NS From ian@cypherpunks.ca Thu May 4 12:51:06 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 4 May 2006 07:51:06 -0400 Subject: [OTR-users] configure: error: glib In-Reply-To: <1146716443.13328.28.camel@localhost> References: <1146716443.13328.28.camel@localhost> Message-ID: <20060504115106.GT8086@smtp.paip.net> On Wed, May 03, 2006 at 09:20:43PM -0700, Noah Spam wrote: > I am having a problem compiling gaim-otr-3.0.0 under SuSE 10.0. Here is > what I am entering and what I get out: > > noah_spam@Susan:~/Downloads/gaim/gaim-otr-3.0.0> aclocal -I ./ > noah_spam@Susan:~/Downloads/gaim/gaim-otr-3.0.0> ./configure > --prefix=/usr --mandir=/usr/share/man > ... > ... > ... > checking for glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0... configure: > error: glib > ./configure: line 19502: exit: gtk: numeric argument required > ./configure: line 19502: exit: gtk: numeric argument required > noah_spam@Susan:~/My Downloads/gaim/gaim-otr-3.0.0> pkg-config --libs > "glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0" > Package gaim was not found in the pkg-config search path. > Perhaps you should add the directory containing `gaim.pc' > to the PKG_CONFIG_PATH environment variable > No package 'gaim' found Do you have gaim.pc installed? I don't know about Suse, but on other systems, it's in the gaim-dev package (or something like that). - Ian From didier@dfr.ch Fri May 5 21:04:27 2006 From: didier@dfr.ch (Didier Frick) Date: Fri, 05 May 2006 22:04:27 +0200 Subject: [OTR-users] Gaim plugin and archiving Message-ID: <1146859467.785.8.camel@localhost.localdomain> Hi , first of all a big thanks to the developers for their work. I just installed the gaim-otr package on ubuntu and it works like charm. There is one small issue IMHO with the handling of gaim's logging feature. If an unsuspecting user uses the plugin and has the logging option activated, the private OTR conversations will be archived as well in clear text, breaking forward secrecy. Sure it's possible to disable the logging manually, but would it be hard to add an option allowing to disable the logging of OTR conversations even if the rest of the conversation is being logged ? Thanks for your feedback.... Didier From ian@cypherpunks.ca Fri May 5 23:03:48 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 5 May 2006 18:03:48 -0400 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1146859467.785.8.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> Message-ID: <20060505220348.GZ8086@smtp.paip.net> On Fri, May 05, 2006 at 10:04:27PM +0200, Didier Frick wrote: > Hi , > > first of all a big thanks to the developers for their work. > I just installed the gaim-otr package on ubuntu and it works like charm. > > There is one small issue IMHO with the handling of gaim's logging > feature. > > If an unsuspecting user uses the plugin and has the logging option > activated, > the private OTR conversations will be archived as well in clear text, > breaking forward secrecy. It technically doesn't, because the logs are unauthenticated. But I agree that the option to disable logging of OTR conversations is a fine plan, and it's already on the todo list (and I'm pretty sure the request is already on sourceforge). - Ian From paul@cypherpunks.ca Sat May 6 18:28:28 2006 From: paul@cypherpunks.ca (Paul Wouters) Date: Sat, 6 May 2006 19:28:28 +0200 (CEST) Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <20060505220348.GZ8086@smtp.paip.net> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> Message-ID: On Fri, 5 May 2006, Ian Goldberg wrote: > > If an unsuspecting user uses the plugin and has the logging option > > activated, > > the private OTR conversations will be archived as well in clear text, > > breaking forward secrecy. > > It technically doesn't, because the logs are unauthenticated. But I > agree that the option to disable logging of OTR conversations is a fine > plan, and it's already on the todo list (and I'm pretty sure the request > is already on sourceforge). People want want to keep logging, especially if they are using disk encryption for their homedir (eg FileVault or something else). So please don't change logging without telling the user. eg Make it an explicit option in the OTR menu or something? Paul From didier@dfr.ch Sun May 7 16:07:50 2006 From: didier@dfr.ch (Didier Frick) Date: Sun, 07 May 2006 17:07:50 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> Message-ID: <1147014471.8620.2.camel@localhost.localdomain> Le samedi 06 mai 2006 à 19:28 +0200, Paul Wouters a écrit : > > People want want to keep logging, especially if they are using disk encryption > for their homedir (eg FileVault or something else). So please don't change > logging without telling the user. eg Make it an explicit option in the OTR > menu or something? I don't think disk encryption preserves forward secrecy, and the issue becomes the one I outlined in my last message: even if _you_ do it correctly, how can you be sure that your correspondents "get it" and do it correctly as well.... So I still contend that the only way to preserve forward secrecy without too many gaping holes that you can't control is to never log any OTR conversation in any way. From morty@gmx.net Sun May 7 18:51:39 2006 From: morty@gmx.net (=?UTF-8?B?TW9yaXR6ICdNb3J0eScgU3Ryw7xiZQ==?=) Date: Sun, 07 May 2006 19:51:39 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147014471.8620.2.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> Message-ID: <445E33AB.1030707@gmx.net> This is a cryptographically signed message in MIME format. --------------ms070703010403050806060700 Content-Type: multipart/mixed; boundary="------------090406040709060708080404" This is a multi-part message in MIME format. --------------090406040709060708080404 Content-Type: multipart/alternative; boundary="------------030101060703050500010608" --------------030101060703050500010608 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Didier Frick schrieb: > Le samedi 06 mai 2006 =C3=A0 19:28 +0200, Paul Wouters a =C3=A9crit : > =20 >> People want want to keep logging, especially if they are using disk en= cryption >> for their homedir (eg FileVault or something else). So please don't ch= ange >> logging without telling the user. eg Make it an explicit option in the= OTR >> menu or something? >> =20 > > I don't think disk encryption preserves forward secrecy, and the issue > becomes the one I outlined in my last message: even if _you_ do it > correctly, how can you be sure that your correspondents "get it" and do= > it correctly as well.... > > So I still contend that the only way to preserve forward secrecy withou= t > too many gaping holes that you can't control is to never log any OTR > conversation in any way. > =20 I agree with you. But I think that there are still a few people who'd like to use OTR and still log to disk (like me). I'd vote for an option to turn it on and of, and a warning-icon to show you that you are logging. And maybe some notice that the other one is logging, but I don't think it's too sensible. You can never go for sure that the other one is not logging. IMHO the user has to decide but has to be warned. Morty --------------030101060703050500010608 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Didier Frick schrieb: 
Le samedi 06 mai 2006 =C3=A0 19:28 +0200, Paul Wouters a=
 =C3=A9crit :
  
People want want to keep logging, especially if they a=
re using disk encryption
for their homedir (eg FileVault or something else). So please don't chang=
e
logging without telling the user. eg Make it an explicit option in the OT=
R
menu or something?
    

I don't think disk encryption preserves forward secrecy, and the issue
becomes the one I outlined in my last message: even if _you_ do it
correctly, how can you be sure that your correspondents "get it" and do
it correctly as well....

So I still contend that the only way to preserve forward secrecy without
too many gaping holes that you can't control is to never log any OTR
conversation in any way.

I agree with you. But I think that there are still a few people who'd like to use OTR and still log to disk (like me).=C2=A0 I'd vote for an option to turn it on and of, and a warning-icon to show you that you are logging. And maybe some notice that the other one is logging, but I don't think it's too sensible. You can never go for sure that the other one is not logging. IMHO the user has to decide but has to be warned.
= Morty


--------------030101060703050500010608-- --------------090406040709060708080404 Content-Type: text/x-vcard; charset=utf-8; name="morty.vcf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="morty.vcf" YmVnaW46dmNhcmQNCmZuO0NIQVJTRVQ9VVRGLTg7cXVvdGVkLXByaW50YWJsZTpNb3JpdHog Ik1vcnR5IiBTdHI9QzM9QkNiZQ0KbjtDSEFSU0VUPVVURi04O3F1b3RlZC1wcmludGFibGU6 U3RyPUMzPUJDYmU7TW9yaXR6ICJNb3J0eSINCmFkcjo7O1NjaG9ybGFjaHN0ciAyNztFcmxh bmdlbjs7OTEwNTg7RC1HZXJtYW55DQplbWFpbDtpbnRlcm5ldDptb3J0eUBnbXgubmV0DQp0 ZWw7d29yazorNDkgKDkxMzEpIDYxMDg0MTcNCnRlbDtob21lOis0OSAoOTEzMSkgNjMwNzMw DQp0ZWw7Y2VsbDorNDkgKDE3NykgNDY2MTk5NQ0Kbm90ZTtDSEFSU0VUPVVURi04O3F1b3Rl ZC1wcmludGFibGU6UEdQIC8gR1BHOiBQcm92aWRlZCBFbmlnbWFpbC4gPQ0KCT0wRD0wQT0N CglLZXkgYXQgc2tzLmtleXNlcnZlci5wZW5ndWluLmRlPTBEPTBBPQ0KCT0wRD0wQT0NCglJ TTo9MEQ9MEE9DQoJamFiYmVyOi8vbW9ydHlAYW1lc3NhZ2UuaW5mbz0wRD0wQT0NCglqYWJi ZXI6Ly9tb3J0eUBqYWJiZXIuY2NjLmRlPTBEPTBBPQ0KCWphYmJlcjovL21vcnR5QGphYmJl ci5vcmc9MEQ9MEE9DQoJU0lMQzovL21vcnR5IChrZXkgb24gcmVxdWVzdCkgPQ0KCT0wRD0w QT0NCglpY3E6Ly8xNzQwNjkwOTA9MEQ9MEE9DQoJDQp4LW1vemlsbGEtaHRtbDpUUlVFDQp2 ZXJzaW9uOjIuMQ0KZW5kOnZjYXJkDQoNCg== --------------090406040709060708080404-- --------------ms070703010403050806060700 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII8zCC AtQwggI9oAMCAQICEF6Bu0+sl1bPwhfDQTlHUDwwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDIxOTE0MzkwNVoX DTA3MDIxOTE0MzkwNVowPzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEcMBoG CSqGSIb3DQEJARYNbW9ydHlAZ214Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAL4254dd7l8erD7Y7Vog4zd3nwh4EycRbc2ysBkpJjcWRzcg2fA3DBgfqIlPocWKVx9C KTrrNIb1Zokh+/oNsYbztj4Og3UvBk9G13hmVY+xEuy8O0NiVcG+c7id3tPwwAv20UyUILvc R9+wi201BOrv26o26jHfDj+Jpc1NCU5R79O8OOBiD2dxAOiGd37zoMTQlA6H9os5btC6CmSf VkZ03G4JjISd9flNWPzc/JuBavzZTDZrj3SFB8mb6ZA689OucIS/gjwUwF6MbeAMFAefa6e8 Fol8Xe70i4KzZ9EnAKWI/ibjjP4wgZv0PS8fFcd8wobc7sIhFbEP+6kHgQUCAwEAAaMqMCgw GAYDVR0RBBEwD4ENbW9ydHlAZ214Lm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA A4GBABEEBcA8+3DN1GQNT02YwgNYq3XMQbkP5NRWhEZsHs6aeYP3XJWqo/EWWCG9/SD8ae5N JRPWD0Gnd0LOELAHprM+v9mXbZmYvSjPnqA7lrYEnW0A6eFliPe8OF1T9Bd8KiZB2GloTwai YGulnnTfzOcqTwtX+ujxuqAQO4KMLTXDMIIC1DCCAj2gAwIBAgIQXoG7T6yXVs/CF8NBOUdQ PDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1 bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz c3VpbmcgQ0EwHhcNMDYwMjE5MTQzOTA1WhcNMDcwMjE5MTQzOTA1WjA/MR8wHQYDVQQDExZU aGF3dGUgRnJlZW1haWwgTWVtYmVyMRwwGgYJKoZIhvcNAQkBFg1tb3J0eUBnbXgubmV0MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvjbnh13uXx6sPtjtWiDjN3efCHgTJxFt zbKwGSkmNxZHNyDZ8DcMGB+oiU+hxYpXH0IpOus0hvVmiSH7+g2xhvO2Pg6DdS8GT0bXeGZV j7ES7Lw7Q2JVwb5zuJ3e0/DAC/bRTJQgu9xH37CLbTUE6u/bqjbqMd8OP4mlzU0JTlHv07w4 4GIPZ3EA6IZ3fvOgxNCUDof2izlu0LoKZJ9WRnTcbgmMhJ31+U1Y/Nz8m4Fq/NlMNmuPdIUH yZvpkDrz065whL+CPBTAXoxt4AwUB59rp7wWiXxd7vSLgrNn0ScApYj+JuOM/jCBm/Q9Lx8V x3zChtzuwiEVsQ/7qQeBBQIDAQABoyowKDAYBgNVHREEETAPgQ1tb3J0eUBnbXgubmV0MAwG A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAEQQFwDz7cM3UZA1PTZjCA1irdcxBuQ/k 1FaERmwezpp5g/dclaqj8RZYIb39IPxp7k0lE9YPQad3Qs4QsAemsz6/2ZdtmZi9KM+eoDuW tgSdbQDp4WWI97w4XVP0F3wqJkHYaWhPBqJga6WedN/M5ypPC1f66PG6oBA7gowtNcMwggM/ MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5 WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2 vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9 A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEw EgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0 ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVN d+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYDVQQGEwJaQTElMCMG A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEF6Bu0+sl1bPwhfDQTlHUDwwCQYFKw4DAhoF AKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNTA3 MTc1MTM5WjAjBgkqhkiG9w0BCQQxFgQUHt6GLADbpltYGwslvhJIS7BZudswUgYJKoZIhvcN AQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0 ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBegbtPrJdWz8IXw0E5R1A8MIGHBgsq hkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0 aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1 aW5nIENBAhBegbtPrJdWz8IXw0E5R1A8MA0GCSqGSIb3DQEBAQUABIIBAErI+owg8dlwCJhI M05Bq6Wkiunwizn6wY17zowsia07d6n2yj5zTMBHEv6xSrs8NDk4Y84zK/h4E7F7JUa5ufp1 +rwCj1N2vdm0JUbSwBc2dBOepKW6EuAPUfY/skLh0GjTkFDGydtQOtad8a3ah2CRUQK6o2vm kvy7s+Il2fY1V6cij7vs097e+1hyb9q7xGd+JTVOvgeuE1aKyCjqmbK7Imp3G3fGrOz+Z1Rb HQUkMhybzqvxQowaYQGEAIxh6la2T18BF5m1WwzRAeq9bffStHyf/ACoHnsD+aO7Tbkqyvkr MGAoczOMYdOR01zc3VIdXIE2Bh7mzJ9iIn3A+s8AAAAAAAA= --------------ms070703010403050806060700-- From didier@dfr.ch Sun May 7 19:03:42 2006 From: didier@dfr.ch (Didier Frick) Date: Sun, 07 May 2006 20:03:42 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <445E33AB.1030707@gmx.net> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> Message-ID: <1147025022.8620.6.camel@localhost.localdomain> Le dimanche 07 mai 2006 à 19:51 +0200, Moritz 'Morty' Strübe a écrit : .... > > > > I agree with you. But I think that there are still a few people who'd > like to use OTR and still log to disk (like me). I'd vote for an > option to turn it on and of, and a warning-icon to show you that you > are logging. And maybe some notice that the other one is logging, but > I don't think it's too sensible. You can never go for sure that the > other one is not logging. IMHO the user has to decide but has to be > warned. > Morty Well, OK. But my basic point is based on the blurb on the OTR website: > Off-the-Record (OTR) Messaging allows you to have private > conversations over instant messaging by providing: > > > Encryption > No one else can read your instant messages. > Authentication > You are assured the correspondent is who you think it is. > Deniability > The messages you send do not have digital signatures that are > checkable by a third party. Anyone can forge messages after a > conversation to make them look like they came from you. > However, during a conversation, your correspondent is assured > the messages he sees are authentic and unmodified. > Perfect forward secrecy > If you lose control of your private keys, no previous > conversation is compromised. If there is any kind of logging occuring then the last statement isn't true. From morty@gmx.net Sun May 7 19:20:40 2006 From: morty@gmx.net (=?UTF-8?B?TW9yaXR6ICdNb3J0eScgU3Ryw7xiZQ==?=) Date: Sun, 07 May 2006 20:20:40 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147025022.8620.6.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> Message-ID: <445E3A78.9090604@gmx.net> This is a cryptographically signed message in MIME format. --------------ms000302070900000603020200 Content-Type: multipart/mixed; boundary="------------070904080502090503050500" This is a multi-part message in MIME format. --------------070904080502090503050500 Content-Type: multipart/alternative; boundary="------------080604010706000400040509" --------------080604010706000400040509 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Didier Frick schrieb: > Le dimanche 07 mai 2006 =C3=A0 19:51 +0200, Moritz 'Morty' Str=C3=BCbe = a =C3=A9crit : > [...] >> Off-the-Record (OTR) Messaging allows you to have private >> conversations over instant messaging by providing: >> >> >> Encryption=20 >> No one else can read your instant messages.=20 >> Authentication=20 >> You are assured the correspondent is who you think it is.=20 >> Deniability=20 >> The messages you send do not have digital signatures that are >> checkable by a third party. Anyone can forge messages after a >> conversation to make them look like they came from you. >> However, during a conversation, your correspondent is assured >> the messages he sees are authentic and unmodified.=20 >> Perfect forward secrecy=20 >> If you lose control of your private keys, no previous >> conversation is compromised. >> =20 > > If there is any kind of logging occuring then the last statement isn't= > true. > > =20 I do not agree with you. That's something different. The last point is about someone sniffing the traffic and getting your private keys (i.e. by force) and still not being able to decode anything. Logging is about the guy you're talking to. There is no _software_ that can tell you if you can trust him. You have to trust him, that he's not logging. You have to trust him that he keeps his computer free of spy ware, etc. Logging affects only the third statement anyway. And not even that, because you can always say the he edited the log with a editor. This stuff is all about "the others" not about the guy you're talking to.= At least if I got it right. ;-) Morty --------------080604010706000400040509 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Didier Frick schrieb: 
Le dimanche 07 mai 2006 =C3=A0 19:51 +0200, Moritz 'Mort=
y' Str=C3=BCbe a =C3=A9crit :
[...]
Off-the-Record (OTR) Messaging allows you to have priv=
ate
conversations over instant messaging by providing:


Encryption=20
        No one else can read your instant messages.=20
Authentication=20
        You are assured the correspondent is who you think it is.=20
Deniability=20
        The messages you send do not have digital signatures that are
        checkable by a third party. Anyone can forge messages after a
        conversation to make them look like they came from you.
        However, during a conversation, your correspondent is assured
        the messages he sees are authentic and unmodified.=20
Perfect forward secrecy=20
        If you lose control of your private keys, no previous
        conversation is compromised.
    

If there is any kind of logging occuring then the last statement  isn't
true.
I do not agree with you. That's something different. The last point is about someone sniffing the traffic and getting your private keys (i.e. by force) and still not being able to decode anything. Logging is about the guy you're talking to. There is no _software_ that can tell you if you can trust him. You have to trust him, that he's not logging. You have to trust him that he keeps his computer free of spy ware, etc.
Logging affects only the third statement anyway. And not even that, because you can always say the he edited the log with a editor.
This stuff is all about "the others" not about the guy you're talking to.
At least if I got it right. ;-)
Morty
--------------080604010706000400040509-- --------------070904080502090503050500 Content-Type: text/x-vcard; charset=utf-8; name="morty.vcf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="morty.vcf" YmVnaW46dmNhcmQNCmZuO0NIQVJTRVQ9VVRGLTg7cXVvdGVkLXByaW50YWJsZTpNb3JpdHog Ik1vcnR5IiBTdHI9QzM9QkNiZQ0KbjtDSEFSU0VUPVVURi04O3F1b3RlZC1wcmludGFibGU6 U3RyPUMzPUJDYmU7TW9yaXR6ICJNb3J0eSINCmFkcjo7O1NjaG9ybGFjaHN0ciAyNztFcmxh bmdlbjs7OTEwNTg7RC1HZXJtYW55DQplbWFpbDtpbnRlcm5ldDptb3J0eUBnbXgubmV0DQp0 ZWw7d29yazorNDkgKDkxMzEpIDYxMDg0MTcNCnRlbDtob21lOis0OSAoOTEzMSkgNjMwNzMw DQp0ZWw7Y2VsbDorNDkgKDE3NykgNDY2MTk5NQ0Kbm90ZTtDSEFSU0VUPVVURi04O3F1b3Rl ZC1wcmludGFibGU6UEdQIC8gR1BHOiBQcm92aWRlZCBFbmlnbWFpbC4gPQ0KCT0wRD0wQT0N CglLZXkgYXQgc2tzLmtleXNlcnZlci5wZW5ndWluLmRlPTBEPTBBPQ0KCT0wRD0wQT0NCglJ TTo9MEQ9MEE9DQoJamFiYmVyOi8vbW9ydHlAYW1lc3NhZ2UuaW5mbz0wRD0wQT0NCglqYWJi ZXI6Ly9tb3J0eUBqYWJiZXIuY2NjLmRlPTBEPTBBPQ0KCWphYmJlcjovL21vcnR5QGphYmJl ci5vcmc9MEQ9MEE9DQoJU0lMQzovL21vcnR5IChrZXkgb24gcmVxdWVzdCkgPQ0KCT0wRD0w QT0NCglpY3E6Ly8xNzQwNjkwOTA9MEQ9MEE9DQoJDQp4LW1vemlsbGEtaHRtbDpUUlVFDQp2 ZXJzaW9uOjIuMQ0KZW5kOnZjYXJkDQoNCg== --------------070904080502090503050500-- --------------ms000302070900000603020200 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII8zCC AtQwggI9oAMCAQICEF6Bu0+sl1bPwhfDQTlHUDwwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDIxOTE0MzkwNVoX DTA3MDIxOTE0MzkwNVowPzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEcMBoG CSqGSIb3DQEJARYNbW9ydHlAZ214Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAL4254dd7l8erD7Y7Vog4zd3nwh4EycRbc2ysBkpJjcWRzcg2fA3DBgfqIlPocWKVx9C KTrrNIb1Zokh+/oNsYbztj4Og3UvBk9G13hmVY+xEuy8O0NiVcG+c7id3tPwwAv20UyUILvc R9+wi201BOrv26o26jHfDj+Jpc1NCU5R79O8OOBiD2dxAOiGd37zoMTQlA6H9os5btC6CmSf VkZ03G4JjISd9flNWPzc/JuBavzZTDZrj3SFB8mb6ZA689OucIS/gjwUwF6MbeAMFAefa6e8 Fol8Xe70i4KzZ9EnAKWI/ibjjP4wgZv0PS8fFcd8wobc7sIhFbEP+6kHgQUCAwEAAaMqMCgw GAYDVR0RBBEwD4ENbW9ydHlAZ214Lm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA A4GBABEEBcA8+3DN1GQNT02YwgNYq3XMQbkP5NRWhEZsHs6aeYP3XJWqo/EWWCG9/SD8ae5N JRPWD0Gnd0LOELAHprM+v9mXbZmYvSjPnqA7lrYEnW0A6eFliPe8OF1T9Bd8KiZB2GloTwai YGulnnTfzOcqTwtX+ujxuqAQO4KMLTXDMIIC1DCCAj2gAwIBAgIQXoG7T6yXVs/CF8NBOUdQ PDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1 bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz c3VpbmcgQ0EwHhcNMDYwMjE5MTQzOTA1WhcNMDcwMjE5MTQzOTA1WjA/MR8wHQYDVQQDExZU aGF3dGUgRnJlZW1haWwgTWVtYmVyMRwwGgYJKoZIhvcNAQkBFg1tb3J0eUBnbXgubmV0MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvjbnh13uXx6sPtjtWiDjN3efCHgTJxFt zbKwGSkmNxZHNyDZ8DcMGB+oiU+hxYpXH0IpOus0hvVmiSH7+g2xhvO2Pg6DdS8GT0bXeGZV j7ES7Lw7Q2JVwb5zuJ3e0/DAC/bRTJQgu9xH37CLbTUE6u/bqjbqMd8OP4mlzU0JTlHv07w4 4GIPZ3EA6IZ3fvOgxNCUDof2izlu0LoKZJ9WRnTcbgmMhJ31+U1Y/Nz8m4Fq/NlMNmuPdIUH yZvpkDrz065whL+CPBTAXoxt4AwUB59rp7wWiXxd7vSLgrNn0ScApYj+JuOM/jCBm/Q9Lx8V x3zChtzuwiEVsQ/7qQeBBQIDAQABoyowKDAYBgNVHREEETAPgQ1tb3J0eUBnbXgubmV0MAwG A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAEQQFwDz7cM3UZA1PTZjCA1irdcxBuQ/k 1FaERmwezpp5g/dclaqj8RZYIb39IPxp7k0lE9YPQad3Qs4QsAemsz6/2ZdtmZi9KM+eoDuW tgSdbQDp4WWI97w4XVP0F3wqJkHYaWhPBqJga6WedN/M5ypPC1f66PG6oBA7gowtNcMwggM/ MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5 WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2 vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9 A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEw EgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0 ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVN d+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYDVQQGEwJaQTElMCMG A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEF6Bu0+sl1bPwhfDQTlHUDwwCQYFKw4DAhoF AKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNTA3 MTgyMDQwWjAjBgkqhkiG9w0BCQQxFgQU4i02vD0pHT+4es0By7TM84y/WlYwUgYJKoZIhvcN AQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0 ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBegbtPrJdWz8IXw0E5R1A8MIGHBgsq hkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0 aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1 aW5nIENBAhBegbtPrJdWz8IXw0E5R1A8MA0GCSqGSIb3DQEBAQUABIIBAI9U+1I2VF1Ym5RB 8q8mT8a0aVGA17i4SlZmgqUorVJ7rylALm7T3wlPJmUkz+qz2TevdbbQny9lb0hhQouO75oa CuuVy/FrFuTknUGF2aUGQawdYLDb/9oOZRwAbb760miSzfNDZWnnaPHUqc4c9qnqOnh4n61a Jajp2PEzXJw0jX0KYlgncXdPRiLGYYo2p7SCHzlJiku9Zu2LR9drsHs9Ta4UNjilsnTfB34k rP/TDjGSrWbJWWpoCYwvT+89zXMmIDuYTIcAqBSL4MorqGp998mUZcLKzoZj69pMIp93xlPU oaPATyw5wCudobC0eQibEup3JgRIrJ3+4OOoVb8AAAAAAAA= --------------ms000302070900000603020200-- From didier@dfr.ch Sun May 7 19:50:05 2006 From: didier@dfr.ch (Didier Frick) Date: Sun, 07 May 2006 20:50:05 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <445E3A78.9090604@gmx.net> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> <445E3A78.9090604@gmx.net> Message-ID: <1147027806.8620.16.camel@localhost.localdomain> OK, we clearly have different opinions ;) Le dimanche 07 mai 2006 à 20:20 +0200, Moritz 'Morty' Strübe a écrit : > Didier Frick schrieb: > > ... > I do not agree with you. That's something different. The last point is > about someone sniffing the traffic and getting your private keys (i.e. > by force) and still not being able to decode anything. Logging is > about the guy you're talking to. There is no _software_ that can tell > you if you can trust him. > You have to trust him, that he's not logging. There _is_ software that can reasonably guarantee you the guy is not logging by not allowing him to, unless he goes out of his way, which you can't prevent anyway I agree. > You have to trust him that he keeps his computer free of spy ware, > etc. That's where the "forward secrecy" comes into play: if his machine is infected by spy ware at time T: a) if you're not logging messages at times greater than T are compromised b) if you're logging and have been for a while, ALL logged messages from the past are compromised > Logging affects only the third statement anyway. And not even that, > because you can always say the he edited the log with a editor. > This stuff is all about "the others" not about the guy you're talking > to. > At least if I got it right. ;-) > Morty I'm still not convinced though: the "guy you're talking to"'s machine can be compromised later by "the others" and the logged messages can be retrieved. To me "forward secrecy" means "the message you just sent cannot be retrieved, ever, no matter what happens". OK, maybe it's not the technical definition but I suspect it's the one most "end users" will understand. If you don't use logging, this condition is true thanks to the design of the OTR protocol. If you do use logging, this undermines the protection offered by the OTR protocol, both for you and for the party you're communicating with. From me@nikita.ca Sun May 7 20:13:02 2006 From: me@nikita.ca (Nikita Borisov) Date: Sun, 7 May 2006 14:13:02 -0500 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147027806.8620.16.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> <445E3A78.9090604@gmx.net> <1147027806.8620.16.camel@localhost.localdomain> Message-ID: <16f0378d0605071213w3383a0b6g19f11f80b9325795@mail.gmail.com> On 5/7/06, Didier Frick wrote: > There _is_ software that can reasonably guarantee you the guy is not > logging by not allowing him to, unless he goes out of his way, which you > can't prevent anyway I agree. A user doesn't necessarily have to go out of his way; he could instead be using a different OTR-enabled client that doesn't have this forced disabling of logging, or an simply older version of gaim-otr. So even if we disallowed logging of OTR conversations, the guarantees you get about what your conversation partner is doing with his logs are pretty weak. I would be not in favor of implementing this and inconveniencing a large number of users who *do* want to log their conversations and take the chance that their computers will be compromised and logs may be stolen, in exchange for the ability to later look at conversation logs. But I think a default option to disable logging whenever OTR is used would be a good idea, since to most people "off-the-record" intuitively means that no records should be kept, as long as we give people the option of turning the logs back on. - Nikita From jacob@appelbaum.net Sun May 7 20:35:32 2006 From: jacob@appelbaum.net (Jake Appelbaum) Date: Sun, 07 May 2006 15:35:32 -0400 Subject: [OTR-users] Re: OTR-users digest (regarding logging) In-Reply-To: <20060507185103.8389.94875.Mailman@brandeis.paip.net> References: <20060507185103.8389.94875.Mailman@brandeis.paip.net> Message-ID: <1147030532.20543.211.camel@localhost.localdomain> --=-D6NR1NmjwVaqzkJ266Nj Content-Type: text/plain Content-Transfer-Encoding: quoted-printable > Message: 1 > Subject: Re: [OTR-users] Gaim plugin and archiving > From: Didier Frick > To: Paul Wouters > Cc: Ian Goldberg , otr-users@lists.cypherpunks.ca > Date: Sun, 07 May 2006 17:07:50 +0200 >=20 > Le samedi 06 mai 2006 19:28 +0200, Paul Wouters a crit : > >=20 > > People want want to keep logging, especially if they are using disk enc= ryption > > for their homedir (eg FileVault or something else). So please don't cha= nge > > logging without telling the user. eg Make it an explicit option in the = OTR > > menu or something? >=20 > I don't think disk encryption preserves forward secrecy, and the issue > becomes the one I outlined in my last message: even if _you_ do it > correctly, how can you be sure that your correspondents "get it" and do > it correctly as well.... >=20 > So I still contend that the only way to preserve forward secrecy without > too many gaping holes that you can't control is to never log any OTR > conversation in any way. >=20 Obviously disk encryption doesn't preserve forward secrecy. In theory it can keep thing secret under certain threats. (I'm not talking about the pile of junk that is filefault, that's a lost cause.) I agree that you probably shouldn't log conversations but I don't think this is easy to accomplish. In defense of loggers, Gaim logs aren't cryptographically sound. My gaim logs are just lines in a text file and anyone can add anything they like to them. If I'm away from the computer and they do it quickly enough, it would be possible to inject an entire conversation into my log files.=20 I can inject data into log files that looks like it was sent by a given party when it was not. Here's an example: cat /home/error/.gaim/logs/aim/error23five/ioerrortype23/2006-05-07.150151.= txt Conversation with ioerrortype23 at 2006-05-07 15:01:51 on error23five (aim) (15:01:53) error23five: hi (15:02:02) io error type23: hey (15:02:16) error23five: This is a GAIM log message being forged (15:02:21) io error type23: how so? (15:03:29) error23five: I will now copy your sent message to me, change the time stamp and paste two responses with different words to see how the text is formatted in the logs. (15:03:40) io error type23: You've put words in my mouth. (15:04:10) io error type23: You're so smart and sexy, will you be mine? The last three messages were actually a single message. All that's required to make the log look realistic is knowing the remote logging format with regard to dates and their system time. Pretty easy. Given the fact that OTR cannot control logging all of the time it seems difficult and perhaps a really good place for a mistake. Perhaps the plugin could contain a data leek flag that says: "Would you like to let people know you're logging this automatically?" And perhaps the client would say: "It appears that the remote party is logging automatically." And perhaps there could be a way to request logging was disabled. And likely, no one would enable that flag because it's a privacy nightmare. Practically speaking this would be unenforceable. Some clients already ship with logging enabled by default. I believe the user friendly adium for Mac OS X does this. I believe that people using the OTR proxy would also be out of the reach of such possible plugin features. Personally, I would ask the remote party to disable logging manually. It seems best because they learn how to do such a thing in their client of choice. Regardless of OTR, disk encryption or what have you, anyone can log messages in a way that could possibly be used against you. And either way, logging or not, you have to trust the person you're talking with to some degree. --=20 Jake Appelbaum --=-D6NR1NmjwVaqzkJ266Nj Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iD8DBQBEXkwEmCiURc9yJggRAoCWAJ9m9smlfy7JUfrfMVQmLDZcs6ZEEQCfbIZQ ZNwUuoD7pZ0ufqurjmbScfs= =VThR -----END PGP SIGNATURE----- --=-D6NR1NmjwVaqzkJ266Nj-- From lenz@cs.wisc.edu Mon May 8 06:49:28 2006 From: lenz@cs.wisc.edu (John Lenz) Date: Mon, 8 May 2006 00:49:28 -0500 (CDT) Subject: [OTR-users] Typo in protocal description Message-ID: <63065.24.158.15.229.1147067368.squirrel@www.wuzzeb.org> (I sent this before subscribing to the list, so it got caught for moderation. I am now resending it after subscribing) Hey, I was reading the protocal description on http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html and I noticed in the section "Exchanging Data" near the top, Bob's third step says Uses ek and ctr to decrypt AES-CTRek,ctr(TA). I think it should read Uses ek and ctr to decrypt AES-CTRek,ctr(msg) Since that is what Alice encrypted to bob. In any case, thanks for creating a great encryption plugin for gaim! John From paul@cypherpunks.ca Mon May 8 21:19:04 2006 From: paul@cypherpunks.ca (Paul Wouters) Date: Mon, 8 May 2006 22:19:04 +0200 (CEST) Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147027806.8620.16.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> <445E3A78.9090604@gmx.net> <1147027806.8620.16.camel@localhost.localdomain> Message-ID: On Sun, 7 May 2006, Didier Frick wrote: > There _is_ software that can reasonably guarantee you the guy is not > logging by not allowing him to, unless he goes out of his way, which you > can't prevent anyway I agree. Yes, it is called DRM. > To me "forward secrecy" means "the message you just sent cannot be > retrieved, ever, no matter what happens". OK, maybe it's not the > technical definition but I suspect it's the one most "end users" will > understand. If you cannot trust the person you are talking to, or the person's machine you are talking to, then you shouldn't be talking to him and trust OTR. > If you don't use logging, this condition is true thanks to > the design of the OTR protocol. Not really. Spyware can still see the decrypted text on his machine. You have got to trust it, or not talk. > the protection offered by the OTR protocol, both for you and for the > party you're communicating with. OTR is about protecting the message IN TRANSIT, not at either end. Paul -- Building and integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 From ian@cypherpunks.ca Tue May 9 15:08:55 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Tue, 9 May 2006 10:08:55 -0400 Subject: [OTR-users] Typo in protocal description In-Reply-To: <63065.24.158.15.229.1147067368.squirrel@www.wuzzeb.org> References: <63065.24.158.15.229.1147067368.squirrel@www.wuzzeb.org> Message-ID: <20060509140855.GP8086@smtp.paip.net> On Mon, May 08, 2006 at 12:49:28AM -0500, John Lenz wrote: > Hey, I was reading the protocal description on > http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html and I noticed in the > section "Exchanging Data" near the top, Bob's third step says > > Uses ek and ctr to decrypt AES-CTRek,ctr(TA). > > I think it should read > > Uses ek and ctr to decrypt AES-CTRek,ctr(msg) > > Since that is what Alice encrypted to bob. In any case, thanks for > creating a great encryption plugin for gaim! Good catch. I've made the change in the dev tree. Thanks! - Ian From jason@sjobeck.com Thu May 11 09:02:42 2006 From: jason@sjobeck.com (Jason SJOBECK) Date: Thu, 11 May 2006 01:02:42 -0700 Subject: [OTR-users] OTR plug-in for Trillian Message-ID: <1147334562.10993.18.camel@barcelona.sjobeck.com> --=-00VMBzsc8knZGaHaMPbe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit > All, > > > FYI > > http://tinyurl.com/jb8rp > > Great new usage of OTR: a great new plug-in for Trillian (which we have all been jonesing for a long time for). > > Thanks very much. > > Peace. > > Jason Sjöbeck --=-00VMBzsc8knZGaHaMPbe Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit
All, 

FYI

http://tinyurl.com/jb8rp

Great new usage of OTR: a great new plug-in for Trillian (which we have all been jonesing for a long time for).
 
Thanks very much.

Peace.
 
Jason Sjöbeck

--=-00VMBzsc8knZGaHaMPbe-- From Torsten.GroteNOSPAM@gmx.de Thu May 11 22:44:00 2006 From: Torsten.GroteNOSPAM@gmx.de (Torsten Grote) Date: Thu, 11 May 2006 23:44:00 +0200 Subject: [OTR-users] Problem with german umlauts Message-ID: <4463B020.7080806@gmx.de> Hello, A friend of mine is using Trillian basic 3.1 (build 121) with otrproxy-0.3.1 on socks5. I'm using Gaim2 beta3 with libotr 3.0.0 and gaim-otr 3.0.0 in linux. If he sends me a message over ICQ or AIM containing umlauts like öäüÖÄÜ, I just get a blank message with no text in it. On the other hand, if I send him messages with umlauts everything works as desired. Greets and Thanks, Torsten From ian@cypherpunks.ca Thu May 11 23:03:09 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Thu, 11 May 2006 18:03:09 -0400 Subject: [OTR-users] Problem with german umlauts In-Reply-To: <4463B020.7080806@gmx.de> References: <4463B020.7080806@gmx.de> Message-ID: <20060511220309.GF8086@smtp.paip.net> On Thu, May 11, 2006 at 11:44:00PM +0200, Torsten Grote wrote: > Hello, > > A friend of mine is using Trillian basic 3.1 (build 121) with > otrproxy-0.3.1 on socks5. I'm using Gaim2 beta3 with libotr 3.0.0 and > gaim-otr 3.0.0 in linux. > If he sends me a message over ICQ or AIM containing umlauts like ??????, > I just get a blank message with no text in it. On the other hand, if I > send him messages with umlauts everything works as desired. Are you sure your friend is using otrproxy 0.3.1? Because the problem you describe is exactly what was fixed in the change from 0.3.0 to 0.3.1. - Ian From Torsten.GroteNOSPAM@gmx.de Sun May 14 15:54:13 2006 From: Torsten.GroteNOSPAM@gmx.de (Torsten Grote) Date: Sun, 14 May 2006 16:54:13 +0200 Subject: [OTR-users] Re: Problem with german umlauts Message-ID: <44674495.2090908@gmx.de> > Are you sure your friend is using otrproxy 0.3.1? Because the problem > you describe is exactly what was fixed in the change from 0.3.0 to > 0.3.1. Yes, I'm sure. I asked him again and he confirmed that he installed 0.3.1 and that the version information is saying 0.3.1, too. Greets, Torsten From jmoschetti45@gmail.com Tue May 30 22:50:52 2006 From: jmoschetti45@gmail.com (Joe Moschetti) Date: Tue, 30 May 2006 17:50:52 -0400 Subject: [OTR-users] Gaim 2 beta 3 + otr Message-ID: ------=_Part_8337_3715128.1149025852532 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I applied the patch for beta 2, and then it compiled and installed, but it doesn't show up in the gaim plugin list. Ideas? -- Joe Moschetti http://jmoschetti45.ath.cx/ ------=_Part_8337_3715128.1149025852532 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I applied the patch for beta 2, and then it compiled and installed, but it doesn't show up in the gaim plugin list. Ideas?

--
Joe Moschetti
http://jmoschetti45.ath.cx/ ------=_Part_8337_3715128.1149025852532-- From ian@cypherpunks.ca Tue May 30 23:03:34 2006 From: ian@cypherpunks.ca (Ian Goldberg) Date: Tue, 30 May 2006 18:03:34 -0400 Subject: [OTR-users] Gaim 2 beta 3 + otr In-Reply-To: References: Message-ID: <20060530220334.GK10506@smtp.paip.net> On Tue, May 30, 2006 at 05:50:52PM -0400, Joe Moschetti wrote: > I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I > applied the patch for beta 2, and then it compiled and installed, but it > doesn't show up in the gaim plugin list. Ideas? If you run "gaim -d", are there any helpful messages around where it looks for plugins? - Ian From jxbian@ualr.edu Wed May 31 14:35:34 2006 From: jxbian@ualr.edu (Jiang Bian) Date: Wed, 31 May 2006 08:35:34 -0500 Subject: [OTR-users] RE: OTR-users digest, Vol 1 #206 - 2 msgs In-Reply-To: <20060531102833.10034.8597.Mailman@brandeis.paip.net> Message-ID: <0J0400047TRCKSC0@hermes.ualr.edu> Can you use debug window under Gaim->Help->Debug Window? When you open the plugin list it will give you the messages about which plugins can be loaded, which can not and why? These may give you some idea. Most time because of wrong ld setting, and gaim-otr can not find dependency libotr.so.2 (maybe this name, I can not remember). Run ldd /usr/local/lib/gaim/gaim-otr.so if you install gaim into /usr instead of /usr/local please replace /usr/local with /usr it will tell you which module is missing and then try to locate that module and add the path into /etc/ld.so.conf, reran ldconfig -----Original Message----- From: otr-users-admin@lists.cypherpunks.ca [mailto:otr-users-admin@lists.cypherpunks.ca] On Behalf Of otr-users-request@lists.cypherpunks.ca Sent: Wednesday, May 31, 2006 5:29 AM To: otr-users@lists.cypherpunks.ca Subject: OTR-users digest, Vol 1 #206 - 2 msgs Send OTR-users mailing list submissions to otr-users@lists.cypherpunks.ca To subscribe or unsubscribe via the World Wide Web, visit http://lists.cypherpunks.ca/mailman/listinfo/otr-users or, via email, send a message with subject or body 'help' to otr-users-request@lists.cypherpunks.ca You can reach the person managing the list at otr-users-admin@lists.cypherpunks.ca When replying, please edit your Subject line so it is more specific than "Re: Contents of OTR-users digest..." Today's Topics: 1. Gaim 2 beta 3 + otr (Joe Moschetti) 2. Re: Gaim 2 beta 3 + otr (Ian Goldberg) --__--__-- Message: 1 Date: Tue, 30 May 2006 17:50:52 -0400 From: "Joe Moschetti" To: otr-users@lists.cypherpunks.ca Subject: [OTR-users] Gaim 2 beta 3 + otr ------=_Part_8337_3715128.1149025852532 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I applied the patch for beta 2, and then it compiled and installed, but it doesn't show up in the gaim plugin list. Ideas? -- Joe Moschetti http://jmoschetti45.ath.cx/ ------=_Part_8337_3715128.1149025852532 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I applied the patch for beta 2, and then it compiled and installed, but it doesn't show up in the gaim plugin list. Ideas?

--
Joe Moschetti
http://jmoschetti45.ath.cx/ ------=_Part_8337_3715128.1149025852532-- --__--__-- Message: 2 Date: Tue, 30 May 2006 18:03:34 -0400 From: Ian Goldberg To: otr-users@lists.cypherpunks.ca Subject: Re: [OTR-users] Gaim 2 beta 3 + otr On Tue, May 30, 2006 at 05:50:52PM -0400, Joe Moschetti wrote: > I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I > applied the patch for beta 2, and then it compiled and installed, but it > doesn't show up in the gaim plugin list. Ideas? If you run "gaim -d", are there any helpful messages around where it looks for plugins? - Ian --__--__-- _______________________________________________ OTR-users mailing list OTR-users@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-users End of OTR-users Digest