[OTR-users] does authentication depend on secrecy of private key
Bits
gsnqa6734n at snkmail.com
Fri Apr 17 10:33:27 EDT 2015
That's my understanding of it.
Many applications protect private keys with a pass phrase, but I'm not
aware of that option in OTR. And even if it was an option, you still
couldn't be certain your buddy was using it.
I'll bet this situation isn't addressed b/c if Mallory can get private
keys, there are probably other, even worse problems.
--Bits
"Greg Reagle reagle-at-cepr.net |otr/Example Allow|"
<f0qdznaivt at sneakemail.com> on Friday, April 17, 2015 at 10:18 -0400 wrote:
>Hello all. I have a question about authentication in OTR. The docs say
>"However, once you've authenticated your buddy, you don't have to do it
>again. OTR will automatically do the authentication for all of your
>future conversations with that buddy." [1] My understanding is that the
>authentication is based on the idea that your buddy has a private key
>that no one else has. So what if you authenticate with your buddy Bob,
>then, somehow, Mallory gets access to Bob's computer and gets his secret
>key. Then OTR will continue to say that you are having an authenticated
>session with Bob , but it could be Mallory? Is that right?
>[1] https://otr.cypherpunks.ca/help/4.0.0/authenticate.php?lang=en
>--
>Greg Reagle
>System & Network Administrator
>Center for Economic and Policy Research
>reagle at cepr.net
>_______________________________________________
>OTR-users mailing list
>OTR-users at lists.cypherpunks.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20150417/1ff706e7/attachment.html>
More information about the OTR-users
mailing list