undefined | Better HN

0 pointsmkj10y ago0 comments

If you're archiving at all then OTR won't encrypt them - it's not going to archive the ciphertext.

I guess offline contacts is a use case against OTR, though whisper's certainly has that sorted out already. https://whispersystems.org/blog/advanced-ratcheting/

0 comments

2 comments · 1 top-level

daturkel10y ago· 1 in thread

Yeah I've never seen an implementation of OTR that blocked archival—in the journalistic sense, it's still on the record so to speak. (That being said, OTR's deniable authentication means I can use my plaintext archive to recall the conversation but I can't prove to a third party that it's from who I say it was—nor would I be able to if I was storing the encrypted conversation.)

With the above considered, I'm curious to hear another argument for OpenPGP over XMPP rather than OTR.

(Edit: Should say that there likely are OTR implementations that archive the ciphertext, or don't automatically archive at all. However, having used OTR in Jitsi and Adium, both I believe keep regular old plaintext logs.)

iheartmemcache10y ago

Even if it was blocked by the implementation, the second it hits your local machine is the second an end-user can capture it (either by recompiling the plugin, the base software, hooking DLLs, accessing the heap directly, with screenshots or even with a Polaroid).

The only advantage of OpenPGP/GnuPG over XMPP I can think of is it supports multiple end-users via merged groups out of the box. With OTR it's harder to logistically organize multi-session key-sharing. And if one of your machines is compromised, you can do a PKI revoke via CRL (or whatever it's called in GPG, slipping my mind at the moment).

j / k navigate · click thread line to collapse