[cryptography] OTR and deniability

Ian Goldberg iang at cs.uwaterloo.ca
Thu Jul 14 13:32:01 EDT 2011


[I'm not usually on this list, but was pointed to this thread.  Warning
that we now have two "iang"s on here. ;-) ]

This is a common confusion about OTR.  OTR aims to provide the same
deniability as plaintext, while also providing the same authentication
as, say, PGP.  You want assurance that the other person is who he says
he is, but at the same time, you don't want digital signatures on all of
your messages which can be used by a third party (or even the person you
were speaking to) later to prove what you said.

You can't achieve *more* deniability than plaintext, of course.  Just as
plaintext chat logs might be trusted because you believe the
chain-of-custody, so might OTR logs be.  (If the OTR logs are the
ciphertexts, of course, you'd also need to log the keys to get anything
useful out, but even then, the point is that you could have used the
toolkit to modify individual messages, or even forge the whole
transcript.)

In this case, of course, the plaintexts were logged, so OTR's properties
don't even come into it.  Here, anyone could simply edit the text file
containing the logs.

   - Ian (the other "iang")



More information about the cryptography mailing list