On Tue, 19 Feb 2013 11:36:36 +0100 Kjell Braden <[email protected]> wrote:
> On 2013-02-19 05:51, Ileana wrote: > > Any other comments or additional details are appreciated. > > In your blog post you mention OTR does DH on the 1536bit prime > group. It looks like you swapped it in the comparison table. > Same goes for the Proof of Communication. Thanks, will fix. > > Also, you confuse two different concepts of authentication: > Every OTR session uses cryptographic authentication. If you > previously marked a key as trusted (ie. you know it belongs to the > reported owner), OTR will flag it as trusted again if you come back > later to the same DSA key. OK...well this has been a confusion for me. Again, would like some kind of diagram here...because I know OTR compares the fingerprints (or allows for comparison). That seems like authentication to me...A constant fingerprint. So OTR also creates and stores a DSA key to be used for authentication? I thought El/gamel or RSA was supposed to be used...but beyond that its over my head do to vulnerabilities with DSA auth. But to be honest, I don't use OTR this way. I manually use new login names, and delete all the old keys so every-time I connect it generates a new key. Am I right to assume that this DSA hash authentication is actually done within the encrypted tunnel of dh/aes? My concern is that such signature exchanges in the clear would be subject to traffic analysis. > Claiming that torchat had automatic authentication while OTR used > manual authentication is misleading, because the same manual > authentication appears in torchat by exchanging the hidden service > address (see Gregory's post). > I believe the difference is that this is not really a normal authentication as is done...it is a manual inspection of the fingerprint, and marking it as trusted, rather then the tor software which internally authenticates the hidden service for you. _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
