[OTR-dev] In what way is the forgeability feature useful?

[Jon Kristensen]

On 02/28/2013 04:14 PM, otr-users at lists.cypherpunks.ca wrote:
> On Wed, 27 Feb 2013, Jon Kristensen wrote:
>
>> However, I still don't understand when the revealing of the MAC keys 
>> is useful. If Eve does not manage to decrypt the ciphertext, the text 
>> cannot be used to prove anything. If Eve does manage to acquire or 
>> guess the encryption key, she will also have the MAC key (as the MAC 
>> key is a simple derivation of the encryption key), and thus the power 
>> to forge the transcript.
>>
>> What would we lose by not posting the MAC keys over the wire?
>
> With the MAC keys you can fake messages _in the past_
>
> So while you won't be fooled in your _current_ conversation, no one can
> later produce logs to claim you said something, as _anyone_ who captured
> the MACs could forge message (for the past!) as you or your conversation
> partner.
>
> Paul

Paul,

Thank you for your reply, but I still don't see how this helps. I don't 
see how anyone could claim that I would have said something even without 
the MAC keys. The only way to decrypt our message is to have the 
encryption key. And if Eve has the encryption key, she also has the MAC 
key.

So I ask again: What would we lose by not posting the MAC keys over the 
wire?

Actually, when I think about it, there seems to be a potential drawback 
with exposing the MAC keys: If Eve have the MAC key (for example, as 
revealed over the wire), and an encryption key which seems to decrypt 
the message, that should pretty much prove that the encryption key in 
question is actually the key that was used, as the probability of the 
same MAC key being derived from another encryption key is extremely low.

Jon