On Fri, Jan 31, 2014 at 10:36 AM, Adam Zimmerman <[email protected]> wrote: > On 14-01-31 09:24 AM, Trevor Perrin wrote: >> - SAS are maybe useful for text chat, though I'm not sure how much >> they're used in OTR compared to fingerprints or PAKE (OTR is unusual >> in having all three options. Is there any data on which users >> prefer?) > > OTR used to have something called a session id (IIRC), which was > essentially a long version of an SAS. I think they removed it around the > same time they started using the Socialist Millionaire Protocol to do > shared secret auth, for usability reasons.
Initially OTR's session ID was not a "SAS". OTR v2 (2005) made it a 64-bit SAS and also introduced the "Socialist Millionaires' Protocol" for parties to confirm that they share a secret [1]. The Session ID wasn't removed, but I'm not sure it was ever used much. Most discussions of OTR focus on fingerprints and SMP (eg [2,3]). Perhaps explaining fingerprints and SMP is hard enough, and adding the Session ID is too complicated? That matches my sense that SAS are best for voice and video where the value can be checked "in-band", but for "out-of-band" checking fingerprints are better, as they can be checked against business cards, directories, mutual friends, etc. (And even for in-band checks, Peter and DKG raise good questions about SAS security.) Trevor [1] https://otr.cypherpunks.ca/Protocol-v2-3.1.0.html [2] http://www.cypherpunks.ca/~iang/pubs/impauth.pdf [3] http://www.cypherpunks.ca/~iang/pubs/otr_userstudy.pdf _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
