[OTR-users] What do you suggest for non-real-time messages?

Ian Goldberg ian at cypherpunks.ca
Wed Dec 10 09:51:50 EST 2008


On Tue, Dec 09, 2008 at 10:04:09PM +0100, Michael Reichenbach wrote:
> Encryption & Authentication are most important for me and Deniability &
> Perfect forward secrecy are nice give-away.
> 
> To chat with my friends I prefer using OTR. For communication with
> business partners OTR would be a bad choice because you need to have a
> prove after conversation who had said what.
> 
> But because OTR is for non-business communications I am asking what to
> use for non-real-time messages with friends.
> 
> A non-real-time message is needed when the buddy is currently not online
> but I want to leave the recipient a message so the recipient reading it
> the next time he goes online. (Real-time is normal instant messages,
> don't know a better term for what I am talking about.)
> 
> I could use E-Mail and OpenPGP. But...
> - It does not provide Deniability & Perfect forward secrecy, only
> Encryption & Authentication.
> - And the even more worse reason not to use it: it's very uncomfortable.
> In my generation we prefer to talk to each other to use instant
> messengers because them are more fast and practical, as soon you go
> online you see who's online and who's not and you maybe get some
> messages from your "mailbox" (messages send as you where offline). It's
> really preferred over E-Mail. (Yes, it's arguable and a matter of task.)
> - It's very impractical to chat over to systems (for example, Pidgin &
> OTR + E-Mail & OpenPGP), two conversation lines and bad integration into
> each other (history) and two needs to authenticate.
> 
> That's the big derivation why I want to use OTR also for non-real-time
> communication.
> 
> Can you tell me this feature will ever come into OTR?
> 
> Or what else can you recommend me to use?

There's a fundamental problem with trying to get perfect forward secrecy
along with offline communication: if your buddy is disconnected, and
perhaps off, with no transient state, but only long-term secrets, and he
can still (later, when he comes back online) read the messages you send
him, then the long-term secret was sufficient to read the message.  This
is antithetical to perfect forward secrecy.  So at a minimum, your
long-term secrets need to change regularly, and there needs to be some
way to communicate them (in an authentic manner) to your buddies, while
you're offline.

On the other side, one can make at least some progress with offline
deniability using techniques like ring signatures (see the original OTR
paper).  But since the perfect forward secrecy issues are much greater,
this isn't implemented.

   - Ian



More information about the OTR-users mailing list