The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


pgpfan:off_the_record

Off the Record

The Off the Record instant message privacy protocol is interesting in a PGP context because it introduced forward secrecy and Deniability as desirable features. The provocatively titled proposal provides the rationale for these features:

The basic idea is that it could be possible to have a conversation over the internet that only exists in the minds of the participants after it is complete. Any sort of cryptography, including PGP, can achieve this. The OTR proposal goes further and suggests a situation where an eavesdropper records the encrypted traffic and then steals the appropriate private key later to decrypt messages that were supposed to be gone forever. Unlikely, but at least one national signals intelligence agency is rumoured to record encrypted traffic on the internet so this is at least possible. A forward secrecy scheme is used to prevent this.

The OTR proposal claims that a signed message could be used to prove that a particular person generated a message. It wasn't explained how that would be an issue in some real life case. If the protocol has forward secrecy then there will be no signed messages from the past that could haunt people in the present so this should not be an issue for OTR. For some reason the OTR proposal goes even further and suggests that there might be some value in arranging things so a participant can deny ever creating a message, should the other participant leak it. That shaky rationalization allowed the Deniability feature to be added to the OTR protocol. The Signal Protocol inherited the feature from OTR.

From the OTR proposal:

Some time later, Eve manages to obtain Bob’s private key, … In addition, Eve has evidence in the form of a cryptographic digital signature that Alice was the one who sent the messages.

This can be understood if you know that PGP first signs the message and then encrypts it. So decryption reveals a signed message. To prove a direct connection between Allice and the message would require access to her key (not Bob's) so this implies some other way to relate the message to the person.

Alice may not want to empower Bob with the ability to prove to third parties about what she told him in private; this concern is amplified by moves of many governments to associate legal power with digital signatures.

There seems to be an assumption here that there exists, or might exist, some sort of register of public keys that are directly linked to the identities of real people. One of the important reasons that PGP exists is that it allows users to retain control over their identities. There is no central registry by design. So in the case of PGP the whole repudiability thing falls apart.

PGP FAN index

pgpfan/off_the_record.txt · Last modified: 2020/11/03 11:27 by b.walzer