i recently learned something about Scuttlebutt, maybe worth sharing.

every message on your feed, including private messages, are on-the-record.

that is, even if your key is leaked, you cannot plausibly deny anything you've said (including the contents of private messages).

or summed up by @dominic

SSB is designed for sober usage. However, another protocol (that even utilized ssb identities) could be bootstrapped on the side, and optimized for drunk usage, we just havn't gotten to that part yet. - %3fLK0BL...

what do i mean by on-the-record?

well in old-school "off-the-record" systems, you create a new key for each conversation, then after you are done exchanging encrypted messages, you leak your key. by leaking your key, you allow anyone to forge valid messages, which means you can plausibly deny that any valid message is actually from you.

for some reason i've vaguely thought that the same ideas applied to Scuttlebutt private messages.

but then i realized, in Scuttlebutt, every message is signed into your feed, linked back by future messages by hash (an identifier determined by the content of the message). so even if you leak your key, not only does everyone still have copies of your original messages, but also your messages have been weaved into the fabric of message links, so even someone with your key cannot forge new messages in place of your old messages (as the hashes would not match).

so, until we get a drunk protocol, please play with your butts responsibly

Interesting link! Plausible deniability = signatureless messaging.

cc: #on-the-record

in Scuttlebutt, every message is signed into your feed

Very important point @mikey!
Thanks for bringing it up again. I'm always a bit sad when new people come across this after they are already on board (recent example..). I think these functional priciples and its effecs need to be really boiled down to digestable facts during onboarding.

in otr .. you leak your key.

All the clients I used for some time (pidgin, jackline) implemented otr with some sort of long-term secret so you only had to do the verify over sidechannel dance once. Looks like I've been using it wrong for all those years and should have dumped my key much more often... or I wonder if these long-terms were used to create session keys...

From the how do others #cryptography department I'm still interested to see how ietf mls will develop (think of more specified ratched). Using that and ssb as a trampolin to create ephemeral groups is kinda what I want but am not sure how to consolidate full-decent with its requirements yet.. they even dislike the federated scenario, so it seems from the mailing list.

Direct Anonymous Attestation is another scheme which should offer somehting like anonymous signatures but I don't like the corperate cert auth vibe (it's coming from the TPM community) and didn't dig in much deeper yet.

I also hope group riccochet has something new to offer.

Just dropping this here, not meaning to derail, but related.

https://openprivacy.ca/blog/2018/06/28/announcing-cwtch/

cc: #cwtch