[OTR-users] OTR and CHAT question

[Robert Ryan]

Alex wrote:
> Robert Ryan Wrote
>> It would be easy for a trojan to wait until the file is decrypted 
>> and then lift it.
> 
> You can say that a trojan can wait for your PGP private key to become
>  available too.

The difference being that the PGP key is only decrypted for as long as
it takes to decrypt a single message. It is never stored to disk. PGP
also takes special pains to protect the memory location it is decrypted
to. By default the memory is wiped after it is used.

The OTR key file must remain decrypted for the entire conversation. It
is a plain text file that anyone can read or write. It is stored, in the
open, on disk. You have to be careful that you wipe the decrypted
version at the end.

> One of the main ideas behind OTR is plausible deniability, which PGP
>  is lacking in (proof that you've said something can be good and
> bad).
> 
You would only use PGP to verify your identity. The rest of the
conversation remains deniable because no one can prove who said what or
when.

> The internet is so anonymous, it is impossible to really "know" who 
> you are talking to unless you see the other party in real life

But I do need to know that the Alex who sent this message is the same as
the one who sent the message on Jan 26. The OTR fingerprint only
identifies you, it does not authenticate you.

Authentication involves something only you know like a PIN or passphrase.

> even then, he could leave his desk for a moment while someone else
> starts chatting with you.

It's worse than that, it would only take a few moments to walk off with
the keyfile itself. If that happens there is no way to revoke the key!

-- 
Robert Ryan
Thunderbird + Enigmail + GnuPG
Gaim + OTR