That's my understanding of it. Many applications protect private keys with a pass phrase, but I'm not aware of that option in OTR. And even if it was an option, you still couldn't be certain your buddy was using it. I'll bet this situation isn't addressed b/c if Mallory can get private keys, there are probably other, even worse problems. --Bits
"Greg Reagle reagle-at-cepr.net |otr/Example Allow|" <[email protected]> on Friday, April 17, 2015 at 10:18 -0400 wrote: >Hello all. I have a question about authentication in OTR. The docs say >"However, once you've authenticated your buddy, you don't have to do it >again. OTR will automatically do the authentication for all of your >future conversations with that buddy." [1] My understanding is that the >authentication is based on the idea that your buddy has a private key >that no one else has. So what if you authenticate with your buddy Bob, >then, somehow, Mallory gets access to Bob's computer and gets his secret >key. Then OTR will continue to say that you are having an authenticated >session with Bob , but it could be Mallory? Is that right? >[1] https://otr.cypherpunks.ca/help/4.0.0/authenticate.php?lang=en >-- >Greg Reagle >System & Network Administrator >Center for Economic and Policy Research >[email protected] >_______________________________________________ >OTR-users mailing list >[email protected]
_______________________________________________ OTR-users mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-users
