Ron Garret(r...@flownet.com)@Sat, Feb 04, 2017 at 09:25:11AM -0800: > The X3DH protocol calls for Bob to publish a set of one-time pre-keys > (OTPKs) to the server. What is the purpose of this? Why not just > have Bob issue an OTPK directly to Alice on demand as the first step > in the protocol?
Just for recap: The specific gain of prekeys is that they mix a bit of information from the receiving side into the DH handshake that they can delete. They serve the equivalent purpose that the ephemeral key does on the sending side, thus making the handshake information ephemeral on both sender and recipient sides. It has no effect on authentication. > The only possible answer I can think of is that Bob might not be > on-line to fulfill the request. But the whole point of X3DH (as I > understand it) is to establish a session key for a real-time > communications session, so if Bob is not on line the whole protocol is > moot. Why is it moot? Alice can send a message to Bob with all the properties in place, that Bob can receive and read at any later point. Getting "real-time" communication right brings up a whole different set of issues, which I'm not sure are actually easier to get right. More importantly, this is in line with what users came to expect from other communication tools (sms, email, ...), that once a message is sent it is "in transit", not just waiting to be sent once the recipient is online. - V _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
