[pkg-otr-team] Bug#818313: Bug#818313: Bug#818313: off-the-record (OTR) plugin actually logs conversations

[Holger Levsen]

Hi,

On Wed, Mar 16, 2016 at 11:12:29AM -0400, Antoine Beaupré wrote:
> > . Perfect forward secrecy - If you lose control of your private keys, no
> > previous conversation is compromised.

btw, please stop calling it "_perfect_ forward secrecy", as it might give a 
false sense of security. "Forward secrecy" expresses what it does just as
well.

(eg you never know what advances or flaws the future brings. If it were
"perfect" it wouldnt matter, yet it does. Someone who logs the full
encrypted communication might use that in future to decrypt it.)

but back to my main point here…

> I just don't see the use case of logging OTR
> conversation, other than being a malicious attacker or a user
> misconfiguring his software.

two examples:

a.) you tell me useful stuff (eg instructions how to use something, how
to get to a specific place) which I would like to refer to later.

b.) you harrass me using OTR. I want to keep logs of this harrassment to
prove/show it.

I'm sure there are more usecases.

> But anyways, I don't care much. I spent over two hours last night trying
> to figure out how to do it in code. If you guys want a configuration
> flag to turn that off, feel free to finish up a patch and do that. :)

Nice!

As suggested in my original reply I think it would be nice if there
would be some way in the protocol to indicate to the other party that
one is logging.

Surely a malicious person could hack the code and turn off these
indicators, but most people are nice and wouldnt do that and as Micah
explained, anybody can blast OTR conversations to the Grand Canyon
already anyway ;)


-- 
cheers,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-otr-team/attachments/20160316/af5f5d1b/attachment-0001.sig>