[OTR-dev] Persisting userstate object across app restarts.

Tom Ritter tom at ritter.vg
Wed Aug 13 09:02:35 EDT 2014


On 11 August 2014 22:10, Paul Wouters <paul at cypherpunks.ca> wrote:
> Is there another way we can tackle the "sending a message to a user
> that is offline" problem? That is a very legitimate issue for users
> using otr on their phones.


I agree.  Most people are probably familiar with it, but TextSecure
(Trevor Perrin) designed a new ratchet for this exact purpose:
https://whispersystems.org/blog/advanced-ratcheting/  It uses a
sub-ratchet that doesn't require the user store key material that is
as sensitive as OTR's.

That said... TextSecure and whatever app you're writing probably
_also_ stores the plaintext messages as a history that can be scrolled
through. TS is still protected by a password, but in general, my order
of importance of OTR secrets is: long term key material allowing
impersonation, plaintext chats, session keys. What's the concern about
storing session keys if either the plaintext or the long term key is
stored accessible?

-tom


More information about the OTR-dev mailing list