[OTR-users] What we can expect in future? / file transfer via OTR?

Gregory Maxwell gmaxwell at gmail.com
Mon Nov 26 10:42:27 EST 2007


On Nov 26, 2007 10:24 AM, Michael Reichenbach
<michael_reichenbach at freenet.de> wrote:
[snip]
> Imho OTR is a protocol and it`s in final version and no good idea to
> change it because many clients implement it. We can`t expect the
> developers from this project to add real new features, just improvements
> for the security (if needed later), user support and an updated version
> of their own implementation for pidgin. But the developers may give a
> final verdict on this.
>
> Sure I would love to use Pidgin also for encrypted and authenticated
> file transfers. Because it does not have this feature yet we are
> currently using some complicated setup with ftp over ssl. It does not
> provide Deniability and Perfect forward secrecy but it`s better then no
> encryption and authentication at all.

It may be possible for OTR to help offer encrypted file transfer with
very little change to the protocol.   Simply provide an interface in
OTR for OTR to send an empty message then return the encryption key
and mac key used for that message.  The client would then encrypt the
file using those keys and send the file through the normal file
transfer means. The remote client could use the same keys.

Some work would need to be included to defer the release of that mac
key until the file was received... but we're not talking a complete
protocol overhaul.

Generally the ability for OTR to act as a person to person key
producer would be pretty useful.  Especially now that it offers the
secure millionare based real-time authentication, which is a feature
not offered by anything else.

Sending files as in-band OTR messages, as was suggested, is pretty
much a non-starter: most IM systems rate limit messages.



More information about the OTR-users mailing list