Len Sassaman wrote:
On Thu, 4 Aug 2005, Ian Grigg wrote:
Currently, IM is mostly unsecured (there is this thing
to do with SSL to the server, but as the threat is on
the node, that's ignorable). The way to approach
securing chat (IMHO) is to layer OpenPGP over the
top in a transparent fashion.
OpenPGP has a lot of characteristics that one wouldn't particularly want
in an IM privacy protocol.
Sure, it's a very general comment (and more specifically,
I note that my own secure IM protocol doesn't as yet
enjoy OpenPGP).
> You might want to take a look at the "Off The
Record Messaging" system designed by Goldberg and Borisov. Their WPES
paper addresses the rationale behind ditching the OpenPGP threat model.
http://www.cypherpunks.ca/otr/#docs
Ah, now IMHO they bungled the threat model. Normally
this wouldn't be an issue (I encourage all crypto
experiments, even ones I think suck!), but the authors
then go on to suggest that the user can repudiate and
is protected because no-one can prove the messages were
sent.
The threat is on the node, and this includes your
other party. If your other party says you sent the
messages, then your silence, or your claim that it
can't be proven, are inadequate. You actually have
to say you didn't send the messages. So this means
that the property of repudiability is only available
if you lie, which is not only a contradictory
approach, but also extraordinarily dangerous and
in practice useless in court or in any adversarial
setting.
That is, OTR only works when it doesn't matter.
This is taking crypto into the real world and not
realising the real world has an ability to do things
too. In practice, if any one tried the OTR approach
in court, they would quite rightly be screwed.
I think we are drifting off the OpenPGP charter
though.
(More generally, I agree with the sentiment that ASCII-armored OpenPGP is
important for use with other protocols besides email, and should be the
canonical format for OpenPGP, email and otherwise.)
Cool!
iang