[messaging] Value of deniability

Ximin Luo infinity0 at pwned.gg
Wed Dec 10 12:52:47 PST 2014

Yes, deniability won't prove the lack of authorship in legal settings, because in current systems there's lots of other evidence that suggests (or "proves-in-court") authorship. However, once we have systems that provide unlinkability, then deniability becomes more useful - so better to build it in now.

I don't understand the source of this perception that people have "been wasting time" on it, though. The delay in doing end-to-end group chat hasn't been because of deniability, but other more structural issues around the fact that it's a group chat.

Generally, we want to have the maximum security for ourselves - which includes the inability for our recipients to prove to 3rd parties that we sent a message. So this should be the "default" security property to aim for.

As per the OP's situation, sometimes it could be useful to set up an additional social contract along the lines of "I don't want to talk to you unless you give me the ability to prove to 3rd parties that you said this", we can easily do it on top of a deniable system - by signing everything again inside the deniable channel. But we can't build deniability on top of signatures. So it's best to start off with deniability as the base security property for a channel.

TL;DR: yes deniability is not useful legally (currently), but it's still useful for other reasons.


On 10/12/14 21:23, Nadim Kobeissi wrote:
> Deniability is a fictitious property that has, to my knowledge, never had
> any bearing on a real world case amounting more than overblown
> mentions-in-passing.
> Considering that the vast majority of problems in cryptography software
> today stem from errors in software implementation, and not from the lack of
> miscellaneous and academic properties such as deniability, I'd consider that
> engineers focusing on deniability instead of proven-secure software
> implementations don't exactly know what's salient when it comes to pushing
> software.
> (My tone is harsher than usual; this is because I can't believe people still
> bother wasting time on deniability when we have problems implementing
> confidentiality and authentication correctly - far more basic properties.)
> NK
> -----Original Message-----
> From: Messaging [mailto:messaging-bounces at moderncrypto.org] On Behalf Of
> Jacob Appelbaum
> Sent: December 10, 2014 2:57 PM
> To: messaging
> Subject: Re: [messaging] Value of deniability
> On 12/10/14, Eleanor Saitta <ella at dymaxion.org> wrote:
>> Hash: SHA256
>> On 2014.12.10 13.56, Mike Hearn wrote:
>>> I would like to hear opinions on the value of deniability in OTR like
>>> protocols.
>>> From a privacy perspective the rationale is fairly clear.
>> Has anyone ever seen a case where cryptographic deniability was
>> accepted by a judge?  As far as I can tell, its legal value is a
>> fiction from the cryptographic community.
> Yes, I think so. The lack of signatures ensures that a text log is just that
> - a text file without cryptographic assurances. It is subject to tampering.
> If I recall correctly, this issue came up a bit in Anakata's recent trials.
> Furthermore, the inverse is accepted routinely - digital signature laws in
> some US states. Washington State in the United States seems to be an
> example. If you have a PGP signed email, I'd expect some binding laws to
> apply for statements made in the signed portion of the text.
> Without a signature, I don't it will fall under the same digital signature
> statutes.
> Repudiation and non-Repudiation are real properties that they have
> contextual value.
> All the best,
> Jacob
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141210/54e7f53e/attachment.sig>

More information about the Messaging mailing list