Len Sassaman wrote:
On Thu, 11 Aug 2005, Ian G wrote:
That is, OTR only works when it doesn't matter.
This is taking crypto into the real world and not
realising the real world has an ability to do things
too. In practice, if any one tried the OTR approach
in court, they would quite rightly be screwed.
I think we are drifting off the OpenPGP charter
though.
I'll try to bring this back to OpenPGP for a minute.
Well, seeing as there is another thread on
the relationship of signing to encryption,
let's carry on :)
> The problem, as I see
it, is that if Alice uses OpenPGP to sign and encrypt his messages, she's
actually facing a worse situation in court than if she hadn't been using
OpenPGP, should the other party turn against her. There now exists
cryptographic signature data to establish, beyond the word of the other
party, that Alice definitively send the messages in question.
Right but this needs to be integrated into the
real world. Firstly, what does that signature
mean? What was it doing there? Because this
question is unanswered, and I'd say, unanswerable,
most people (in my experience) don't use signed
email. They simply encrypt.
Secondly, the way court works is that if one
party tables a message, it's generally accepted
at face value. In practice, the mere presence
of the message is its own authentication.
Only if the other party were to repudiate it
would there be any question and then the notion
of digsigs could be brought in. But even then,
it is (IMHO) rather unlikely that any opinion
would turn on such issues, as courts have their
own ways of dealing with such things already.
In general practice, people do not lie about
documents in court, neither forging documents
nor repudiating ones they themselves authored.
And this is before any consideration of digsigs
or OTR. So while your argument might be logical,
it's relevance to actual practice is not clear.
OTR allows is users to have strong authentication of encrypted messages
without the *additional risk* that normal digital signatures introduce.
Turn it around and ask how important strong
authentication is? When was the last time you
needed it in email or IM? I suggest it is something
that we inherited from some military threat model
that isn't really relevant to our environment.
Once that disappears, there isn't really much point
in OTR, and you may be better off just sending
totally unauthenticated messages. With PFS, if
you like. Others disagree of course.
Alice is no better off in the court scenario that you describe, using OTR
vs. not using anything, but this way she can use an encryption system that
doesn't expose her to greater potential danger, should the other party
defect.
I fear it is the other way around?
As a minor issue, if OTR's claim is that it
encourages Alice to repudiate, and that were
brought up in court, Alice might be in a
strictly worse position. On the one hand,
she is being dared to lie to the judge,
and on the other, she's been seen to use a
tool that has a sole advantage of repudiation.
What is she going to do? Lie about the message,
but accept the fact that she uses a tool that
encourages her to lie about messages?
This problem is a really difficult one, and I
do like the fact that they attacked the problem.
I've been toying with legal ways around this for
years and have never yet came across a way that
was worth it.
I think it's really important to move towards
PFS as a standard part of the crypto makup, for
this and other reasons. But short of making
messages disappear from your machine, I've yet
to think of a way to make this happen in a strict
p2p environment.
iang