On 8/25/10, Brian McGroarty <s...@lindenlab.com> wrote: > Has anyone spent time looking at the encrypted chat feature included in some > third-party viewers? It's my understanding that this contacts third-party > servers in obtaining and validating keys. Is that correct? If so, do these > connections share any information about the user that we should require to > be disclosed per section 4.b of the TPV Policy?[1]
I haven't looked too closely at the encrypted chat in Emerald and similar viewers, but my understanding is that it - and all the other third-party viewers - use OTR in a fairly standard way. OTR is deliberately designed not to use any third party server to obtain or validate keys - instead, it provides a way for pairs of OTR users to validate each other's keys directly with each other[2]. All communication happens over the underlying IM protocol, in this case Second Life IMs. Unless someone's really screwed up the implementation in one of the viewers, OTR should have no interesting privacy implications whatsoever. OTR keys are designed to be per-account (so provide no way of matching up alts) and the encryption scheme used carefully avoids non-repudiation; that is, neither party can use it to prove what the other said to a third party after the fact any more than they could with plain-text IMs. It's basically pretty benign. [1] NMF. [2] Specifically, it uses the Socialist Millionaire Protocol to verify the keys, using a piece of information that only the two people know. See http://en.wikipedia.org/wiki/Socialist_millionaire - note that neither the secret answer nor any information that could usefully help to determine it is ever shared with the other party! _______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
