[OTR-users] Question-/Anwer authentication - Possible improvement
Daniel Brendle
grindhold at skarphed.org
Tue Dec 10 09:34:09 EST 2013
Hello, OTR-people
//Edit. As i read through my email again, i recognized that it would be
more readable writing "person A" for the person that wants to
authenticate someone by question-and-answer and "person B" for the
person who is to answer the secret question.
I have a question regarding the question/answer-authentication-process
in OTR. It often happens, that me and friends, who i try to convince to
using OTR end up doing the authentication several times because of mere
typos or upper-/lowercase stuff. In other cases, person B knows the
right answer to the question but expresses it in an other manner that
person A the question expected.
When i understand OTR right, the communication (also the
verification-process) is already done under the protection of
encryption.
Wouldn't it be possible to send the question to person B, wait for the
answer and let person A interpret the result, not the machine, without
losing strength of security?
As i see it, it would even increase security as well as usability:
1. We could utilize much more complicated questions that require much
more complicated answers, which were, as it currently is done,
impossible to do because there are differences in the version of person
A and person B.
2. It would increase usability of OTR and thereby acceptance by more
normal not-geeky people.
Maybe i am missing something. Why is OTR not working the way i
described?
Regards, Grindhold
Kudos to the OTR-Devs. You are doing marvellous work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20131210/5ebf4d13/attachment.pgp>
More information about the OTR-users
mailing list