[OTR-users] multi-party OTR communications? (and other OTR details)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Sep 18 13:50:44 EDT 2008 

Hey OTR folks--

I'm still wrapping my head around the ideas of OTR, and i just wanted
to float a question or two to people who understand the crypto better
than myself.

My understanding is that OTR is designed such that it can only be used
in two-party communication (private message), and that it cannot be
used in multi-party comunication (e.g. an IRC channel, or an XMPP
conference room).

I believe this is because the reason you can get authenticated
communications in OTR is that only the two parties involved know the
session key involved.  And if a message arrives that is properly
wrapped in the session key, you know that it was written by your
conversation partner simply because you personally did not write it.

This clearly doesn't scale to the n > 2 case (if you all share a
session key, how do you know which of the other parties wrote a given
message?), but is also why OTR has the deniability feature: if the
other party decides to share your conversation with a third party (and
they had somehow cached and stored the session info), you can simply
point out that they knew the session key as well as you did, and they
could have authored any of the messages themselves.

But you cannot deny that you *had* a conversation, assuming the other
party cached all the traffic and their ephemeral session key, because
the key verification step is unimpeachable if the DH keys for the
session are known.

Is my understanding of these points correct?  Am i using terms in ways
they shouldn't be used?  Am i confused and don't know it?  Any
insights would be appreciated.  I'd like to make sure i understand
what assurances are actually being offered by this protocol, because
i'd like to be able to advocate for its use in the appropriate
situations.

Regards,

        --dkg

PS for the list admin: when i tried to subscribe to this list by
   replying to the confirmation e-mail, i got the following bounce.  I
   managed to confirm via the web UI, but you might want to look into
   this:

   ----- The following addresses had permanent fatal errors -----
"|/var/lib/mailman/mail/wrapper mailcmd otr-users"
    (reason: 6)
    (expanded from: <otr-users-request at lists.cypherpunks.ca>)

   ----- Transcript of session follows -----
Illegal command: mailcmd
554 5.3.0 unknown mailer error 6

Reporting-MTA: dns; paip.net
Received-From-MTA: DNS; relay03.pair.com
Arrival-Date: Thu, 18 Sep 2008 11:11:24 -0400

Final-Recipient: RFC822; otr-users-request at lists.cypherpunks.ca
X-Actual-Recipient: X-Unix; |/var/lib/mailman/mail/wrapper mailcmd otr-users
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Unix; 6
Last-Attempt-Date: Thu, 18 Sep 2008 11:11:24 -0400
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20080918/c6671b3a/attachment.pgp>

More information about the OTR-users mailing list