Is the OpenPGP model still useful?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Jul 23 19:21:57 CEST 2011
On 07/23/2011 07:04 PM, Marcio B. Jr. wrote:
> On Wed, Jul 6, 2011 at 5:49 PM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>>> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
>>> Diffie-Hellman key exchange method with block ciphers.
>>
>> Why is this a problem?
>
> You know, secrets are shared. 100% increase (at least) in "exposing" risks.
I am struggling with how to respond to your messages since i find them
confusing.
Are you aware that the purpose of OTR is to allow two parties to
communicate confidentially?
In a confidential communication, a secret message is sent from party A
to party B. The entire purpose is to share the secret between the two
parties. They have to share the key to the cipher in order to share the
secret.
OpenPGP itself uses this sort of symmetric encryption to encrypt
messages with a random session key, and only uses asymmetric encryption
to encrypt the session key itself.
If you research other popular encryption standards (e.g. TLS), you'll
find this "hybrid" approach is quite common. If there's a serious
downside or risk to it, could you outline the sort of attack you're
concerned about?
Thanks,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110723/91bb5d11/attachment.pgp>
More information about the Gnupg-users
mailing list