[messaging] Value of deniability

Eleanor Saitta ella at dymaxion.org
Wed Dec 10 17:43:20 PST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2014.12.10 20.27, Sam Lanning wrote
>>> And it will stand up in a court of law as strongly as a chain
>>> of PGP signed emails.
>> 
>> We have no evidence that supports this assertion.
> 
> No. But for all intents and purposes, it is technically identical.

No.  Signatures in email are designed to be persistent and are
archived, in many cases for years.  They're subject to the Stored
Communcations Act in the US, and significant technical infrastructure
exists to preserve them.  It's natural to bring them into the
courtroom, and they're relatively easy to explain to a lawyer.
They're often the result of an explicit choice by the user to signify
a specific piece of communication, which has nontrivial argumentative
value in court.  None of these are true for channel authenticity
measures not attached to a specific message.

> Is there zero protective value in forward secrecy?
> 
> Of course we can always tell people about it but not give any UI 
> hints... like forward secrecy.

While in some cases, users may benefit from forward secrecy even if
they don't expect it to be there/understand it, users who are actively
thinking about their security do need to be aware whether they're
using forward-secrecy-preserving cryptosystems, when understanding the
severity of a device capture.  If I know that the machine is currently
clean of stored communication data/metadata and that all
communications from the device have preserved forward secrecy, I don't
need to act on the assumption that an adversary I believe to have
captured encrypted communications now has the content of those
communications, which will significantly change the way I react.  If
you are designing for users who you expect to perform any kind of
security planning, you must communicate security properties to them.

Now, in systems not designed for high-risk or specifically targeted
users, maybe you don't need to do this.  However, most systems
designed with deniability in mind seem to be designed for high-risk users.

>> How much work has been done to test and ensure that deniability 
>> is maintained in Axolotl?
> 
> There was a deep technical study here:
> https://eprint.iacr.org/2014/904.pdf

Right.  So it's not even close to free, even at the protocol level --
it's the result of significant engineering effort that could have been
spent elsewhere.

E.

- -- 
Ideas are my favorite toys.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlSI9rgACgkQQwkE2RkM0woCIQEAiX667G05cVuqSnEiwLtNR10o
fT9YNtsYDzF2X+1lg6oA/2I1MP6gXXVyTIPu+Dqhgva5FwfavhbZz+j6RG9arAWM
=JvZV
-----END PGP SIGNATURE-----

More information about the Messaging mailing list