Hi Aron, you are somewhat arrogant. Please read what I wrote till completion.
Regards, On Fri, Jul 22, 2011 at 9:17 PM, Aaron Toponce <aaron.topo...@gmail.com> wrote: > On Fri, Jul 22, 2011 at 07:56:42PM -0300, Marcio B. Jr. wrote: >> Hello Daniel, >> sorry for such a delay; this has been a wild JULY. >> >> >> On Wed, Jul 6, 2011 at 4:09 PM, Daniel Kahn Gillmor wrote: >> > On 07/06/2011 01:28 PM, Marcio B. Jr. wrote: >> >> So far, OTR adoption seems unjustifiable, really. I mean, it uses the >> >> Diffie-Hellman key exchange method with block ciphers. >> > >> > Why does this seem unjustifiable to you? DH and block ciphers are >> > widely-reviewed parts of the standard crypto toolkit. Do you have >> > reason to believe they're generally bad? >> >> It seems unjustifiable because there exists an option in which secret >> keys need not to take risks. And if there's any security concern and >> one's to choose between zero risk and any other positive-value risk, >> it's reasonable to pick the former. > > Are you familiar with the DH key exchange? It doesn't seem that you are. > There is no risk in sharing the private key between the two parties. It > basically goes like this: > > Step 1: A generates the private key. > Step 2: A encrypts the private key with a one-time session key. > Step 3: A sends the encrypted private key to B. > Step 4: B encrypts the encrypted private key with his 1-time key. > Step 5: B sends the doubly-encrypted private key to A. > Step 6: A decrypts what he can with his one-time session key. > Step 7: A sends the resulting encrypted key to B. > Step 8: B decrypts the private key with his 1-time key. > > B now has the private key. > > The one-time session keys are never shared, but stored locally on the > machine. Once the DH key exchange finished, the session keys are destroyed. > No where in the exchange is there any risk of the private key being > compromised. A MITM can grab all the packets he likes. Unless he has one or > both session keys, he's not getting the private key. > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Marcio Barbado, Jr. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users