Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

[ianG <iang@iang.org>]

On 15/03/2014 17:47 pm, Jon Callas wrote:

> Now on the other hand, ages ago, we discussed ring signatures, and a use case that I wanted to do was to make it so that whenever Alice sends Bob a signed email or other casual message, she would (could?) sign it with a ring signature of her key and Bob's. Bob knows that he didn't sign it so he knows that Alice did. 

Which might be a nice property, but if it goes further it might be
problematic.  Where I'm thinking is experiences with the oddly-named
OTR, which raises questions on two counts.

Firstly, it isn't OTR because it is a protocol, not a record-keeping or
securing agent [0].

The protocol instead claims something that we might call "deniability"
as in "plausible deniability."

Which leads to fubar #2.  "Plausible deniability" might work in the
movies, but it doesn't work in court, being precisely the place were we
might want to be able to claim something didn't happen.  Unfortunately,
deniability is also the weapon the courts are most used to, and they
test for exactly this [1].  In short words, that's their game, and
they're daring you to try it...

Fubar #3 is that because of the claim of off-the-record and ability to
plausibly deny, the presence of the product itself can be evidence
against the victim.  If for example one were to "plausibly deny" a
record or transcript of a chat session, you're already damned by having
used the product.

> Of course, it's one of those things that are cool, and yet it's hard to say what it actually does to improve anything.



Which all is really sad, because other than that, the OTR protocol and
system has really filled a gap and been quite successful.  With the fall
of skype, it's about the only game out there for widespread secure chat.
 It's just the name and claims that run into unforeseen consequences.

Drifting more OT somewhat, what I think is far more useful is
disappearing messages.  I believe that Snapchat was on the money,
because it disappeared the messages & photos, which was much closer to
what the user needed.  Snapchat is a $16bn lesson to the cryptography
industry.

Anyway, I'm out west of Tahiti by now...



iang



[0] The name is less of relevance here, so in footnotes:  The record is
kept or not kept by the app.   It might be that this latter is useful
but what is not useful is advertising a property such as "off the
record" that the protocol cannot provide, and has no way of knowing if
the app provides it or not.

[1] For the exact same reason, non-repudiation is a concept that the
courts reject in general and in concept.  Oops.