[OTR-users] multi-party OTR communications? (and other OTR details)
Ian Goldberg
ian at cypherpunks.ca
Mon Sep 22 11:28:29 EDT 2008
On Mon, Sep 22, 2008 at 11:06:54AM -0400, Daniel Kahn Gillmor wrote:
> Thanks for the reply, Ian!
>
> On Mon 2008-09-22 09:29:32 -0400, Ian Goldberg wrote:
>
> > there are a couple of people working on just what a group version of
> > OTR should look like, and what its properties should be.
>
> Where is this discussion taking place? I'd be interested in
> participating, though i don't have a ton of time to do so.
A couple of people are conversing by email, as far as I know.
> > Indeed, with the current version of OTR, if Bob keeps a copy of his
> > secrets, he can prove that someone he's in cahoots with at some
> > point in the past started an OTR session with Alice's client.
> > (Because Alice signs a MAC over Bob's ephemeral DH key.) But anyone
> > can start an OTR conversation with anyone else (quite
> > intentionally). On the drawing board is a variation that will
> > remove even this.
>
> This is very interesting. Can you give a summary of how something
> like this might be possible without removing the ability to be sure
> that your conversation partner is who they claim to be?
You just sign something fresh, but not necessarily the DH public parts.
Both parties can contribute a nonce, for example, and you can sign that.
You also keep the MAC on your identity, and you've still got SIGMA.
> While the deniability features are pretty cool from a crypto
> perspective, it doesn't seem to me like they offer any *more*
> deniability than the deniability you have with unencrypted/unsigned
> material (e.g. the contents of a web server logs, or a traffic dump
> From a router). Given that unencrypted/unsigned digital material is
> regularly respected as powerful evidence in legal disputes, contract
> negotiations, and journalism already, i'm not sure how much practical
> gain OTR users really get from the deniability property (though if the
> legal or journalistic climate *does* change, it would certainly be
> advantageous).
You've got it exactly right; I say almost those exact words in my OTR
talks. [You can see a couple of videos of those online.]
OTR offers the same level deniability as plaintext. But it also offers
strong authentication *during* the conversation. If you used
pidgin-encryption, for example, every message is digitally signed, which
would certainly give you *less* deniability than plaintext.
> I guess what i'm saying is that the deniability feature of OTR is not
> as high a priority for me as the other features (such as IM-layer
> protocol independence, remote-party authentication (including SMP),
> and a clear, simple UI).
You are in the majority. ;-)
- Ian
More information about the OTR-users
mailing list