On Mon, 5 Feb 2007, Oded Arbel wrote:
You seem to imply that with off-the-record, both a third party that has access to the entire session can prove the identity of at least one side of it (destroying deniability) and that on a second session one cannot be assured of the identity of the other person w/o again performing manual verification (destroying authentication). So you are essentially calling the OTR guys liars, right ?
I am not familiar with OTR but I have good reasons to believe that if a third party (like an OTR client's ISP) intercepts all the client's communications with otr during a session then they may be able to play man-in-the-middle after that. Unless the otr client and otr (or another client) share a secret that is not communicated through the intercepted channels. So I'm not calling them liars, please don't put words in my mouth, I hate that. I assume that with sufficient effort the powers that be could eavesdrop on the communication without trying very hard.
Peter ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]