[messaging] Value of deniability

[Eleanor Saitta]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2014.12.10 15.52, Ximin Luo wrote:
> Yes, deniability won't prove the lack of authorship in legal 
> settings, because in current systems there's lots of other
> evidence that suggests (or "proves-in-court") authorship. However,
> once we have systems that provide unlinkability, then deniability
> becomes more useful - so better to build it in now.

By which mechanism does it become more useful?

> I don't understand the source of this perception that people have 
> "been wasting time" on it, though. The delay in doing end-to-end 
> group chat hasn't been because of deniability, but other more 
> structural issues around the fact that it's a group chat.

Interesting.  It's my understanding (and apologies if I'm wrong on
this) that the complexity around deniability rules out a large number
of possible solutions that provide the other set of properties we
might like.  The question I asked on libtech was about where
requirements were sourced from and, for instance, the work that was
done in providing deniability in (n+1)sec without providing any kind
of moderator-kick ability at the protocol level, the former not being
something we see any field demand for and the latter being absolutely
critical in most real uses.

> Generally, we want to have the maximum security for ourselves -
> which includes the inability for our recipients to prove to 3rd
> parties that we sent a message. So this should be the "default"
> security property to aim for.

No, we want to have the set of security properties that have proven
field utility and we can roll back from there.  I agree with the logic
of this paragraph, but not your evaluation of the starting point.

> As per the OP's situation, sometimes it could be useful to set up
> an additional social contract along the lines of "I don't want to
> talk to you unless you give me the ability to prove to 3rd parties
> that you said this", we can easily do it on top of a deniable
> system - by signing everything again inside the deniable channel.
> But we can't build deniability on top of signatures. So it's best
> to start off with deniability as the base security property for a
> channel.
> 
> TL;DR: yes deniability is not useful legally (currently), but it's 
> still useful for other reasons.

You have not in fact done anything other than handwave in this direction.

E.

- -- 
Ideas are my favorite toys.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlSItHcACgkQQwkE2RkM0wqSIgD/TYdaCUOGl9zyzdhBdPnRieF7
DoEbIPuZhc6UkKo6isEA/0bbdxQZZF+T8d+3NK8REwSDDn6/z8geotBZNUFE69tY
=dL6F
-----END PGP SIGNATURE-----