Ian,<br><br>We didn't 'know' for sure, hence the quotes. When you chat with a person regularly you pick up on their grammar, slang usage, punctuation, etc. It's not scientific, but it's certainly relevant to my experience with the authentication process and I'll explain. They already 'know' they're talking to me, and I already 'know' I'm talking to them based on those factors, combined with the minuscule probability that we are targets of covert surveillance or subject to a MITM attack. Others might not be so safe in those assumptions.
<br><br>You are correct that we certainly do not know with 100% certainty, and this is the reason I would like authentication to be more accessible. As it stands right now, authenticating properly feels like an extra, unnecessary step because 1) There is the aforementioned assumption that the person is who you think it is, and 2) the "OTR: Private" icon can easily be displayed without going through that step, by blindly confirming the other party's fingerprint. I realize in theory there is some chance that is not correct, but the average user doesn't think that way. If a way can be found to make it easier, why not explore it?
<br><br>The conversations have all gone something like this:<br><br>Me: Hey, have you heard about Off The Record?<br>Them: No, what's that?<br>Me: [explanation of encryption, authentication, deniability, perfect forward secrecy, link to website with gaim plugin]
<br>Them: Cool [download and enable]<br>OTR Started, make sure to verify and authenticate<br>Me: Alright, lets authentication with the ____ of _____<br>Them: Alright, it says Private. cool<br>Me: Did you use the pass phrase?
<br>Them: I don't know, but it says private.<br>Me: Did you get any kind of dialog or anything? It says it's waiting.<br>Them: It says it's private, so it must have worked.<br>Me: Here, I'll cancel it. Try going to Authenticate and typing in the answer to that question
<br>Them: I don't know, it says it's private though.<br>[by this time I'm feeling like a pain in the ass and drop it, because I have my false sense of certainty that it's them anyway]<br><br>Nobody wants to feel like a pain in the ass, and by having felt that way three times now it's seeming like a usability issue. I'm not trying to insult your work or be a pebkac, I do honestly want
to see <i>everyone </i>adopt secure and private messaging. You can write it off as me and everyone I've shared it with being clueless if you wish, I just thought I'd try to help out.<br><br>Best regards,<br>Harlan
<br><br><br><br><br><div class="gmail_quote">On Nov 26, 2007 5:35 PM, Ian Goldberg <<a href="mailto:ian@cypherpunks.ca">ian@cypherpunks.ca</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Sun, Nov 25, 2007 at 05:20:59PM -0600, Harlan Iverson wrote:<br>> For my friends, they just 'knew' at the time that they were talking to me,<br>> so authenticating using a shared secret was not something that they cared to
<br>> investigate further.<br><br></div>How could they possibly know this? Without doing some kind of<br>authentication (either the manual fingerprint check or the shared<br>secret), there's no way to distinguish a working OTR connection and one
<br>that's going through a MITM (say, the automated OTR MITM plugin for<br>ejabberd: <a href="http://www.ejabberd.im/mod_otr" target="_blank">http://www.ejabberd.im/mod_otr</a> ).<br><font color="#888888"><br> - Ian
<br></font><div><div></div><div class="Wj3C7c">_______________________________________________<br>OTR-users mailing list<br><a href="mailto:OTR-users@lists.cypherpunks.ca">OTR-users@lists.cypherpunks.ca</a><br><a href="http://lists.cypherpunks.ca/mailman/listinfo/otr-users" target="_blank">
http://lists.cypherpunks.ca/mailman/listinfo/otr-users</a><br></div></div></blockquote></div><br>