[cryptography] OTR and deniability

Ian G iang at iang.org
Tue Jul 19 14:09:52 PDT 2011 

On 19/07/11 1:59 PM, James A. Donald wrote:
> On 2011-07-19 9:48 AM, Ian G wrote:
>> OTR makes the same error. It takes a very interesting mathematical
>> property, and extend it into the hard human world, as if the words carry
>> the same meaning. Perhaps, once upon a time, in some TV court room
>> drama, someone got away with lying about a document? From this, OTR
>> suggests that mathematics can help you deny a transcript? It can't. It
>> can certainly muddy the waters, it can certainly give you enough rope to
>> hang yourself, but what it can't do is give some veneer of "it didn't
>> happen." Not in court, not in the hard world of humans.
>
> OTR gives you the same deniability as a plaintext communicated person to
> person. "He said ... she said"

(I suspect a confusion here.  A plaintext is a document, whereas "he said, 
she said" is witnessed or hearsay.  They have wildly different effects in 
court, under interrogation.)

> No more, and no less.
>
> But that is quite a lot of deniability.

Actually, I suspect not.  I humbly submit to the court that a plaintext  
document plus the presence of OTR is somewhat less deniable than a  
plaintext document by itself, which are both less deniable than a  
non-existing document.

Perhaps we could lump this under the law of unexpected consequences?

Part of the problem I have semantically with OTR is that it isn't OTR. The 
presence of a record means it is on the record.  While OTR-the-product 
might be attempting to decrease the tamper-resistance qualities of the 
document, there is manifestly a document.  And such presence tends to 
outweigh in real life any advantage gained by tampering.

If it was truly OTR, it would turn off the record.  That's what it means, 
the tape stops rolling, the typist stops typing.

Probably we can't achieve precisly that, within the context of p2p  
communications without TCBs.  But we can come close.  There are  
possibilities:  Counterparties can contract to delete the record  
afterwards, exposing themselves to civil claims if this is not done.  
Further, it might be possible to make declarations under penalties of  
perjury that the record has been deleted.  Or, we could IPR it, or even  
invoke DMCA over it, and have the OTR application do the deed under a  
technological protection.

I'm not suggesting that this be done;  just that it seems to be evident  
that OTR doesn't take much in the way of steps to take something "off the 
record."  What it does achieve, IMHO, is make it easier for a court to rule 
against a false repudiation.  This is hard to see as an advantage to the 
users, who might be tempted to talk as if they can later deny the 
conversation.  E.g., wikipedia, that notably deniable authority, says:

"The primary motivation behind the protocol was providing deniability for 
the conversation participants while keeping conversations confidential, 
like a private conversation in real life, or off the record in journalism 
sourcing."

http://en.wikipedia.org/wiki/Off-the-Record_Messaging



iang, the other other one
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the Testlist mailing list