On Wed, Dec 10, 2014 at 6:56 PM, Eleanor Saitta <[email protected]> wrote: > > Actively signing a message and failing to support deniability are not > the same, as I have explained elsewhere.
""" Un-signed and deniable are distinct properties. I'm definitely not arguing against unsigned transcripts; making an active effort to make repudiation difficult is a very different question than designing for the field utility of deniability. """ https://moderncrypto.org/mail-archive/messaging/2014/001191.html I think some people (like myself) do think of deniability as mostly about not signing messages. Or more strongly: not producing any signed evidence of conversations by default. I'll agree there's other notions of deniability floating around, but I'd like to defend this modest interpretation. First, I don't think this needs to be explained to users, because it's not a change from what they're used to. On the contrary, having signed, hard-to-disavow traces of conversations lying around seems like a significant and surprising change. I'd be much more worried about explaining *that* to users. Second, I'd argue this form of deniability is fairly easy to achieve: In a 2-party case you can achieve it with signature-less key agreements like MQV, TripleDH, NaCl, etc. You could even use a signed key agreement, if you only sign your own ephemeral DH public key (and of course, take care to hash identity info into the session key). These are good choices even aside from deniability, so deniability isn't imposing much of a constraint here. The only trade-off I see is that if the sender signs messages directly, there's a nice property that the recipient's ability to authenticate does not depend on any recipient private keys, and so will survive even if the recipient's keys are compromised. That's not compatible with deniability, but this seems minor and acceptable. In a multiparty case, authentication is generally done via pairwise 2-party key agreements (see mpOTR, (n+1)sec, TextSecure). If messages are also encrypted pairwise, then no new signatures are added, so deniability is preserved. To reduce traffic, some multiparty protocols might have the sender encrypt messages with a single symmetric key and sign them with some ephemeral signing key, where the ephemeral signing keys are exchanged over the pairwise protocol. But even though this introduces signatures, it still doesn't affect this sort of deniability. As mpOTR argues: "Because the key exchange protocol is deniable, there is no transferable proof that any party has committed to use any given [ephemeral signing] key". Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
