On 12/11/14, Eleanor Saitta <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 2014.12.10 19.45, Jacob Appelbaum wrote: >> On 12/10/14, Eleanor Saitta <[email protected]> wrote: >>> On 2014.12.10 17.00, Jacob Appelbaum wrote: >>>> Why not have both options, legally and cryptographically? >>> >>> Because if you want to have both options, even if there was >>> absolutely no cost in terms of protocol design, has a significant >>> cost in terms of user experience, user education, and end-user >>> security planning overhead. Every security invariant that you >>> intend to support must have a specific cost justification in >>> terms of end-user outcomes. Adding a new one because it has no >>> protocol cost ignores massive costs elsewhere, in a way that >>> exactly parallels the complete usability failures of most >>> encryption protocols. Usability and user requirements analysis >>> must be part of cryptographic protocol design if there is any >>> hope it will work. >> >> It works in OTR and it works well enough, I think. I don't see any >> obvious room for improvement. Though I admit, I like the >> TextSecure design. > > Ending conversations in OTR is specifically a piece of user > interaction that is only required due to the deniability component, > correct?
Not quite. I'd encourage you to look at the code and the specification to understand the full process for refreshing or ending a conversation. > So it's not true that there's no room for improvement. OTR > is also, although far better than many alternatives, something I hear > frequent usability complaints about. This is not what success looks > like. This is at best what the absence of failure looks like. OTR > does not in any meaningful way drive deniability as an invariant > through the design process, nor do implementations clearly explain to > users what invariants they can or cannot expect the system to maintain. > I never claimed that there wasn't room for improvement? I like the design of TextSecure (and RedPhone/Signal) and I showed that there is a legal context for this property, which is what was requested in the first place. In any case, I don't think an improvement would be removal of the denability properties from OTR. All the best, Jacob _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
