<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title></title>
<style type="text/css">
<!--
body{margin-left:10px;margin-right:10px;margin-top:10px;margin-bottom:10px;}
-->
</style>
</head>
<body marginleft="10" marginright="10" margintop="10" marginbottom="10">
<div align="left" style="text-align:left;"><font face="Calibri" size="+1" color="#000000" style="font-family:Calibri;font-size:14pt;color:#000000;">That's my understanding of it.</font></div>
<div align="left" style="text-align:left;"><font face="Calibri" size="+1" color="#000000" style="font-family:Calibri;font-size:14pt;color:#000000;">Many applications protect private keys with a pass phrase, but I'm not aware of that option in OTR.  And even if it was an option, you still couldn't be certain your buddy was using it.</font></div>
<div align="left" style="text-align:left;"><font face="Calibri" size="+1" color="#000000" style="font-family:Calibri;font-size:14pt;color:#000000;">I'll bet this situation isn't addressed b/c if Mallory can get private keys, there are probably other, even worse problems.</font></div>
<div align="left" style="text-align:left;"><font face="Calibri" size="+1" color="#000000" style="font-family:Calibri;font-size:14pt;color:#000000;">--Bits</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Arial" size="+0" color="#000000" style="font-family:Arial;font-size:10pt;color:#000000;"><b>"Greg Reagle reagle-at-cepr.net |otr/Example Allow|" <<a href="mailto:f0qdznaivt@sneakemail.com">f0qdznaivt@sneakemail.com</a>> on Friday, April 17, 2015 at 10:18 -0400 wrote:</b></font></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">Hello all. I have a question about authentication in OTR. The docs say</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">"However, once you've authenticated your buddy, you don't have to do it</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">again. OTR will automatically do the authentication for all of your</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">future conversations with that buddy." [1] My understanding is that the</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">authentication is based on the idea that your buddy has a private key</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">that no one else has. So what if you authenticate with your buddy Bob,</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">then, somehow, Mallory gets access to Bob's computer and gets his secret</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">key. Then OTR will continue to say that you are having an authenticated</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">session with Bob , but it could be Mallory? Is that right?</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">[1] <a href="https://otr.cypherpunks.ca/help/4.0.0/authenticate.php?lang=en" target="_blank">https://otr.cypherpunks.ca/help/4.0.0/authenticate.php?lang=en</a></font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">-- </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">Greg Reagle</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">System & Network Administrator</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">Center for Economic and Policy Research</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;"><a href="mailto:reagle@cepr.net">reagle@cepr.net</a></font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">_______________________________________________</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">OTR-users mailing list</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;"><a href="mailto:OTR-users@lists.cypherpunks.ca">OTR-users@lists.cypherpunks.ca</a></font></span></div>
<br />
<br/>
</body>
</html>