On Thu, 11 Aug 2005, Ian G wrote:
That is, OTR only works when it doesn't matter.
This is taking crypto into the real world and not
realising the real world has an ability to do things
too. In practice, if any one tried the OTR approach
in court, they would quite rightly be screwed.
I think we are drifting off the OpenPGP charter
though.
I'll try to bring this back to OpenPGP for a minute. The problem, as I see
it, is that if Alice uses OpenPGP to sign and encrypt his messages, she's
actually facing a worse situation in court than if she hadn't been using
OpenPGP, should the other party turn against her. There now exists
cryptographic signature data to establish, beyond the word of the other
party, that Alice definitively send the messages in question.
OTR allows is users to have strong authentication of encrypted messages
without the *additional risk* that normal digital signatures introduce.
Alice is no better off in the court scenario that you describe, using OTR
vs. not using anything, but this way she can use an encryption system that
doesn't expose her to greater potential danger, should the other party
defect.
--Len.