On 18/04/15 16:19, Berkant Ustaoglu wrote: > > Quoting Michael Rogers <[email protected]>: > >> On 17/04/15 20:08, Trevor Perrin wrote: > >>> IMO there's a useful notion something like "don't leave signed >>> messages around by default" and then stronger academic notions around >>> the idea of "interacting with Alice doesn't give Bob anything he >>> couldn't simulate", which are somewhat dubious (again, IMO) since once >>> you start considering that Bob is actively trying to defeat Alice's >>> deniability he could simply share his private key with the 3rd-party >>> judge and have the judge execute the protocol as him. >> >> "Don't leave signed messages around" is fine for now. >> > > What is your opinion if I there are signed messages around but also the > private key with which the message was singed? Would that meet your notion > of deniability?
That might work, but I can see a couple of difficulties: 1. A party may leave the conversation unexpectedly before publishing their private key, in which case their messages aren't deniable. 2. The signature key that gets published must be ephemeral, so it must somehow be bound to the long-term signature key - is this any easier than binding an ephemeral DH key to a long-term signature key? Cheers, Michael
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
