[OTR-users] Does OTR cache authentication questions?

Tue Sep 10 08:45:16 EDT 2013

On Tue, Sep 10, 2013 at 2:24 PM, Ian Goldberg <ian at cypherpunks.ca> wrote:
> I would normally expect the session keys to have changed by then, and so
> the (long-delayed) message should have become unreadable by your buddy?

The long-delayed authentication message was readable by him.

> Or is it the case that right after you originally sent the auth
> request, you stopped chatting for a week (but kept your IM clients
> open)?

No. I apologize for the confusion. Here's what happened:

(Chat session a month or two ago)
1. My friend and I are chatting in an Unverified OTR-secured session.
2. I sent a question-and-answer authentication request to my friend.
3. A few minutes elapse without any response to the request. Both of
us remain online and connected during the time, and we exchange
several IMs while I'm waiting for him to complete the authentication
request.
4. I IM my friend to inquire if he received the request. He says he
never received it.
5. I send him a new request with a different question.
6. He receives the new request, answers the new request correctly, and
thus authenticates himself to me.

(Chat session today)
1. My friend and I are chatting in an unencrypted, non-OTR-secured
session. I am using the same computer (with Pidgin/OTR the same as
before), though I have restarted several times since the previous
session. He is using a new system (same hardware, but he reformatted
and reinstalled Windows between our last session and today).
2. My friend and I wish to chat securely, so he installs OTR,
generates a new keypair, and we establish an Unverified OTR-secured
session.
3. We chat for a few minutes over this Unverified session.
4. I initiate a question-and-answer authentication request to my friend.
5. My friend sees the question from the long-delayed authentication
request (sent in step 2 in the chat session a month or two ago) but
does not receive the authentication request I sent in step 4 today.
6. He answers the long-delayed authentication request. However, since
the questions and answers in the two requests were different (and my
client expects the answer to the new request, not the long-delayed
one) my system says he failed the request.
7. He IMs me to ask why, as he correctly answered the long-delayed question.
8. After further discussion we discover that he had only seen the
long-delayed question, not the current one.
9. I send him another question-and-answer authentication request (with
a different question and answer than the long-delayed one and the one
in step 4). He correctly answers this request and my system shows him
as verified.

> Was this with pidgin-otr 4 on both sides?

Yes. Both of us were using 4.0.0-1 and Pidgin.

If there's any additional information you'd want, please ask and I'll
do my best to provide it.

Cheers!
-Pete

-- 
Pete Stephenson