-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2014.12.12 05.23, Trevor Perrin wrote: > On Wed, Dec 10, 2014 at 6:56 PM, Eleanor Saitta <[email protected]> > wrote: >> Actively signing a message and failing to support deniability are >> not the same, as I have explained elsewhere. > > """ Un-signed and deniable are distinct properties. I'm definitely > not arguing against unsigned transcripts; making an active effort > to make repudiation difficult is a very different question than > designing for the field utility of deniability. """ > https://moderncrypto.org/mail-archive/messaging/2014/001191.html > > I think some people (like myself) do think of deniability as > mostly about not signing messages. Or more strongly: not producing > any signed evidence of conversations by default.
There's nothing wrong with this understanding of deniability, although I would argue that it does not rise to the level of significance that naming it implies. Most of what I see folks arguing for here is also something stronger. The larger issue not even necessarily the cryptographic primitives chosen, it's the understanding of user actions that justifies those choices. When a community refuses to interact with the reality of user needs, the community demonstrates it is more interested in solving the problems it thinks users should have than the problems users do have. It argues that users should adapt their behavior, ignoring any reasons that users may have for their existing behavior as not even worth considering. This would be frustrating if it was not the exact same failure mode that has dogged the cypherpunk community for over two decades. Guys, we had a big conversation about usability, right? And y'all have (mostly) been "oh, hey, yeah, I guess that Johnny Can't Encrypt paper is kind of embarrassing, maybe we should do something about that". Did you guys honestly think this was just about hiring a couple of artists to make your interfaces prettier? Usability is about putting user goals first, period. If your users do not need a thing to accomplish their goals, you do not force it on them. Now, your users don't always know what they need, I hear you exclaiming. That's true. However, if you want to suggest this, it can't be your ego saying "me big cryptographer, me tell users what really matter", which is frankly most of what I've heard here. You need evidence. You need field experience. You need testing. And then you need to explain what you've done to your users so they can take it into account. This isn't (just) about deniability. This is about the entire process of security design and the failure of this community to engage in it, as indicated by the continued treatment of deniability as a first-class property and the arguments presented for it. E. - -- Ideas are my favorite toys. -----BEGIN PGP SIGNATURE----- iF4EAREIAAYFAlSLAyUACgkQQwkE2RkM0wq8jAD/a3d6qoH7dOJ10jJZw2ENyPx1 bOjBkCS2fI/RSPBcbIYA/2hrAFhtwBotpaaFdFamqTgCb5LhjAfM+dqqI3f+0z4C =S3Ya -----END PGP SIGNATURE----- _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
