[cryptography] OTR and deniability

Ian Goldberg iang at cs.uwaterloo.ca
Thu Jul 14 10:32:01 PDT 2011

[I'm not usually on this list, but was pointed to this thread.  Warning
that we now have two "iang"s on here. ;-) ]

This is a common confusion about OTR.  OTR aims to provide the same
deniability as plaintext, while also providing the same authentication
as, say, PGP.  You want assurance that the other person is who he says
he is, but at the same time, you don't want digital signatures on all of
your messages which can be used by a third party (or even the person you
were speaking to) later to prove what you said.

You can't achieve *more* deniability than plaintext, of course.  Just as
plaintext chat logs might be trusted because you believe the
chain-of-custody, so might OTR logs be.  (If the OTR logs are the
ciphertexts, of course, you'd also need to log the keys to get anything
useful out, but even then, the point is that you could have used the
toolkit to modify individual messages, or even forge the whole

In this case, of course, the plaintexts were logged, so OTR's properties
don't even come into it.  Here, anyone could simply edit the text file
containing the logs.

   - Ian (the other "iang")
cryptography mailing list
cryptography at randombit.net

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list