[cryptography] OTR and deniability
iang at iang.org
Tue Jul 19 14:09:52 PDT 2011
On 19/07/11 1:59 PM, James A. Donald wrote:
> On 2011-07-19 9:48 AM, Ian G wrote:
>> OTR makes the same error. It takes a very interesting mathematical
>> property, and extend it into the hard human world, as if the words carry
>> the same meaning. Perhaps, once upon a time, in some TV court room
>> drama, someone got away with lying about a document? From this, OTR
>> suggests that mathematics can help you deny a transcript? It can't. It
>> can certainly muddy the waters, it can certainly give you enough rope to
>> hang yourself, but what it can't do is give some veneer of "it didn't
>> happen." Not in court, not in the hard world of humans.
> OTR gives you the same deniability as a plaintext communicated person to
> person. "He said ... she said"
(I suspect a confusion here. A plaintext is a document, whereas "he said,
she said" is witnessed or hearsay. They have wildly different effects in
court, under interrogation.)
> No more, and no less.
> But that is quite a lot of deniability.
Actually, I suspect not. I humbly submit to the court that a plaintext
document plus the presence of OTR is somewhat less deniable than a
plaintext document by itself, which are both less deniable than a
Perhaps we could lump this under the law of unexpected consequences?
Part of the problem I have semantically with OTR is that it isn't OTR. The
presence of a record means it is on the record. While OTR-the-product
might be attempting to decrease the tamper-resistance qualities of the
document, there is manifestly a document. And such presence tends to
outweigh in real life any advantage gained by tampering.
If it was truly OTR, it would turn off the record. That's what it means,
the tape stops rolling, the typist stops typing.
Probably we can't achieve precisly that, within the context of p2p
communications without TCBs. But we can come close. There are
possibilities: Counterparties can contract to delete the record
afterwards, exposing themselves to civil claims if this is not done.
Further, it might be possible to make declarations under penalties of
perjury that the record has been deleted. Or, we could IPR it, or even
invoke DMCA over it, and have the OTR application do the deed under a
I'm not suggesting that this be done; just that it seems to be evident
that OTR doesn't take much in the way of steps to take something "off the
record." What it does achieve, IMHO, is make it easier for a court to rule
against a false repudiation. This is hard to see as an advantage to the
users, who might be tempted to talk as if they can later deny the
conversation. E.g., wikipedia, that notably deniable authority, says:
"The primary motivation behind the protocol was providing deniability for
the conversation participants while keeping conversations confidential,
like a private conversation in real life, or off the record in journalism
iang, the other other one
cryptography mailing list
cryptography at randombit.net
----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy