[OTR-users] OTR and CHAT question

Alex alex323 at gmail.com
Fri Jan 26 18:22:33 EST 2007


On Fri, 26 Jan 2007 16:05:17 -0700
Robert Ryan <rbrt_ryn at yahoo.com> wrote:

> Alex wrote:
> 
> > I think what he meant was that the user should have to decrypt the
> > private key in order to start a chat. I dislike webs of trust
> > because they become entangled and chaotic (revocation certificates,
> > and all that other garbage). However I do think that an encrypted
> > private key would be a step in the right direction to protect
> > against stolen laptops.
> > 
> 
> True, but it still doesn't provide your contact any assurance that
> they are really talking to you. It also doesn't solve the key
> revocation problem.
> 
> It would be easy for a trojan to wait until the file is decrypted and
> then lift it.

You can say that a trojan can wait for your PGP private key to become
available too. One of the main ideas behind OTR is plausible
deniability, which PGP is lacking in (proof that you've said something
can be good and bad). The internet is so anonymous, it is impossible to
really "know" who you are talking to unless you see the other party in
real life and trade fingerprints (even then, he could leave his desk
for a moment while someone else starts chatting with you). OTR is as
good as it's going to get.

I still think that the current system could benefit from an encryption
scheme for private keys on disk.

-- 
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20070126/8881ef44/attachment.pgp>


More information about the OTR-users mailing list