[messaging] X3DH: why put OTPKs on the server?

Vincent Breitmoser look at my.amazin.horse
Sat Feb 4 09:42:27 PST 2017

Ron Garret(ron at flownet.com)@Sat, Feb 04, 2017 at 09:25:11AM -0800:
> The X3DH protocol calls for Bob to publish a set of one-time pre-keys
> (OTPKs) to the server.  What is the purpose of this?  Why not just
> have Bob issue an OTPK directly to Alice on demand as the first step
> in the protocol?

Just for recap:

The specific gain of prekeys is that they mix a bit of information from
the receiving side into the DH handshake that they can delete. They
serve the equivalent purpose that the ephemeral key does on the sending
side, thus making the handshake information ephemeral on both sender and
recipient sides. It has no effect on authentication.

> The only possible answer I can think of is that Bob might not be
> on-line to fulfill the request.  But the whole point of X3DH (as I
> understand it) is to establish a session key for a real-time
> communications session, so if Bob is not on line the whole protocol is
> moot.

Why is it moot?  Alice can send a message to Bob with all the properties
in place, that Bob can receive and read at any later point.  Getting
"real-time" communication right brings up a whole different set of
issues, which I'm not sure are actually easier to get right.

More importantly, this is in line with what users came to expect from
other communication tools (sms, email, ...), that once a message is sent
it is "in transit", not just waiting to be sent once the recipient is

 - V

More information about the Messaging mailing list