<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
- While the DSA key is only used for authentication, it's still the
basis of trust for the conversation. While the person may not be able
to prove the conversation happened, if he can fake your DSA key, he can
initiate secure conversations on your behalf. You can of course verify
the secure id but you might not do this if you have no reason to
suspect you've been compromised. <br>
<br>
- While this is true, I don't see why it's necessary to leave open the
possibility. It is estimated that if Moore's Law holds, a 2048 bit RSA
keys should be secure until 2030, while 1024 bit keys will only be
secure until 2010. As most people are chatting on modern PCs, the
computational differences between such key sizes are irrelevant. When I
used gaim-encrypt with a 2048 RSA key, I didn't notice any noticeable
slowdown. <br>
<br>
To me, OTR's main advantage is Perfect Forward Security. Unlike using
PGP with email, it's impractical to encrypt the private key, and
therefore a compromise of your system can be disastrous. If someone
broke into my system and stole id.priv, they could read all my
conversations encrypted with gaim-encrypt (and prove I wrote them).
Protecting the content of the message is the primary goal. Then- as a
consolation, you can deny you wrote the messages- however this might
not make up for the fact that your secret is out. Obviously, encrypted
messages can't remain secure forever but I think a 5-10 year timespan
is reasonable. 2048 bit keys can with reasonable surity guarantee that
where a 1536 bit key can not. <br>
<br>
With PGP, a relatively security consciious user, and a strong
passphrase to encrypt the secret key, a user can be fairly secure. PGP
also seems to fit the needs of email more than deniability/PFS. I view
email as a more official medium that has a permanance that instant
messanges don't. I might want messages I receive to be non-repuditable.
If I wanted to have a private "off the record" conversation with
someone I would do it in person, or with OTR on gaim. This makes clear
that at least one of the participants wants to keep the message
private, and even if the other does tell others, they can't prove what
they heard is true. <br>
<br>
Email is increasingly being used to replace other official forms of
communication in business. If this is the case, email should have a
guarantee of non-repuditablity and security. Email simply is no longer
"off-the-record". Email is used to spread memorandums, and other
official documents. It would be confusing and bad business practice to
allow a sender to deny he sent an official document. It would certainly
undermine trust between businesses and between employees. <br>
<br>
Ian Goldberg wrote:
<blockquote cite="mid20050328163238.GF30200@smtp.paip.net" type="cite">
<pre wrap="">On Mon, Mar 28, 2005 at 08:56:34AM -0500, Ian Goldberg wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Mon, Mar 28, 2005 at 04:18:19AM -0500, Jason Cohen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Upon reading the Protocol Description paper I found I was incorrect
about the DH modulus size (It's 1536 bits rather than 1000). However, I
would still like to use a 2048 bit modulus which is the currently
recommended size. Is this possible?
I also saw a great deal of discussion on the developer's mailing list
about allowing the use of RSA signing keys in addition to DSS. Are RSA
signing keys currently allowed? If so, how would I go about increasing
the size to 2048 bits?
</pre>
</blockquote>
<pre wrap="">In this version of the protocol, the only key exchange method defined is
DSA, and the only key agreement is 1536-bit DH. This may change in a
later version, at the cost of incompatibility with clients that don't
understand it.
</pre>
</blockquote>
<pre wrap=""><!---->
I'd also like to note a couple of things:
- The keysize of the authentication step only has to make it secure
until after your buddy receives the message; after he's accepted your
initial DH key, you don't care what happens in the future. DSA is
plenty fine for this today.
- The keysize of the DH only has to be large enough that you're
comfortable with the adversary having to break a DH key agreement *per
message*, since (approximately) each message you send is encrypted
with a new key, derived from a fresh DH key agreement. [And, although
it's small comfort, even if, in 20 years, pocket calculators can break
1536-bit DH in real time, you _still_ get the deniability properties;
the transcripts are completely forgeable, so they'll need to be
convinced your stored transcripts haven't been messed with over the
decades.]
- Ian
_______________________________________________
OTR-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OTR-users@lists.cypherpunks.ca">OTR-users@lists.cypherpunks.ca</a>
<a class="moz-txt-link-freetext" href="http://lists.cypherpunks.ca/mailman/listinfo/otr-users">http://lists.cypherpunks.ca/mailman/listinfo/otr-users</a>
</pre>
</blockquote>
<br>
</body>
</html>