On Thu, 17 Mar 2016, David Goulet wrote:
We've mostly discussed the OTR version 4 "design and specification".
Thanks for the notes!
- Kill SHA1 with fire and use SHA3.
I'd be okay with SHA2 or SHA3 at this point.
- Ratcheting: use axolotl Ref: https://github.com/trevp/axolotl/wiki
good :)
- DAKE (Deniability AKE) Ref: https://cs.uwaterloo.ca/~iang/pubs/dake-ccs15.pdf - Proposal is being tested and written by Ian's student. O(weeks) before seeing something. - Free feature: offline message
Not qualified to comment on :P
- Have an unauthenticated encrypted channel at the very beginning of the data exchange.
How is that different from v3?
Use curve25519.
Why not Curve448? We are talking about high value content that might decades of confidentiality. See https://tools.ietf.org/html/rfc7748#section-7 There is no mention of AES in these notes. I assume there is at least a move from AES128 to AES256?
- Algorithm agility is in the version protocol. Let's _NOT_ exchange ciphers list.
Will the default be at first to speak both 3 and 4? eg using ?OTRv34?" Is there some assurance this would be safe against a downgrade attack so that two clients capable of speaking v4 will not end up on v3 and thus have a far lower security due to aes128/sha1/modp1536 ?
- Improve version rollback issues with v4.
Probably related? Thanks, Paul _______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
