[jdev] Re: JEP-0027 (OpenPGP) implementation question
stpeter at jabber.org
Tue Mar 7 16:12:43 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Justin Karneges wrote:
> On Tuesday 07 March 2006 09:13, Peter Saint-Andre wrote:
>> Looking at JEP-0116 again, I see that public keys are used to verify the
>> identity of the parties, but that the stanzas themselves are signed and
>> encrypted with session keys. So identity is asserted and preserved in
>> the initial negotiation, but not attached to each stanza. Or so it seems
>> (I need to read JEP-0116 again in depth).
> I believe identity is attached at all times.
> For the OTR feature, though, something is done later to make the packet
> signatures worthless. The idea is that both parties can have full trust in
> each other's identity during the conversation, but it is not possible to
> later "prove" that each party actually said what they said, since forgery
> would be easy at that point.
Well, somehow I doubt that a court of law would care whether it can be
cryptographically proven that one party did or did not say something.
Does anyone know of case law on this point? Sure, we geeks know that
it's possible for one party (or a third party) to forge messages, but
stored email messages have been used to implicate people and we know
they can be forged as well. So the repudiability and perfect forward
security aspects of OTR don't give me much comfort in the real world.
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the JDev