

On OTR and deniability - rl1987
http://lists.randombit.net/pipermail/cryptography/2011-July/001157.html

======
pnathan
Quote: """ OTR makes the same error. It takes a very interesting mathematical
property, and extend it into the hard human world, as if the words carry the
same meaning. Perhaps, once upon a time, in some TV court room drama, someone
got away with lying about a document? From this, OTR suggests that mathematics
can help you deny a transcript? It can't. It can certainly muddy the waters,
it can certainly give you enough rope to hang yourself, but what it can't do
is give some veneer of "it didn't happen." Not in court, not in the hard world
of humans. """

I don't see any 'why' here. Maybe the context of this particular discussion
would clarify it. Maybe it's well-known in places I have not read.

I think that perhaps a steganography implementation combined with OTR might
provide a very interesting approach to hiding crypto communication and
providing reasonable doubt on the transmission's existence.

~~~
eru
OTR can be trivially faked. So if you have a transcript of me saying "I did
not commit the crime.", you can easily manufacture "I did commit the crime."
And that's how it should be.

~~~
pnathan
So... OTR provides a way out from the PKI trap of requiring a private key to
encrypt (which in turn demonstrates access to the private key).

Perhaps I'm thinking about it narrowly, but that's all OTR is said to do, yes?

~~~
eru
If you have a cipher that produces a stream of good pseudorandom numbers, you
can use that as a one time pad. Forging is trivial.

If I remember correctly: For the individual messages OTR uses Diffie-Hellman
to exchange the key. That means your dialog partner knows the same key, and
could have produced the message, too.

But if you want the details, look up
<http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html>

------
kragen
At first glance, I thought this was a message by Ian Goldberg, one of the two
designers of OTR, but of course it's Ian Grigg.

His points are basically correct but I think a little overblown.

The point of OTR is not to provide you with real-world deniability, but simply
to _not remove it_ in one particular way, by not providing _additional_
evidence of the authenticity of a logged communication, beyond what would be
available if the communication were in plain text.

------
burgerbrain
"Ian G" correctly recognizes that OTR doesn't provide mathematical
reliability, but rather just prevents mathematical confirmation. The issue
here (seems to be) that he incorrectly thinks that it is said to do anything
else. "Ian Goldberg" (an apparent different person) points this out well here:
[http://lists.randombit.net/pipermail/cryptography/2011-July/...](http://lists.randombit.net/pipermail/cryptography/2011-July/001158.html)

There is also some mumbo jumbo about what math should or should not attempt to
do. If I'm reading this correctly, it seems like Ian G is also opposed to any
system that could do what he thinks OTR allegedly does. Seems like just
another opinion to me, not really worthy of much analysis.

