[sk5t]

I found it a reasonably constructive reply, because the operation of a "black box" cannot be properly observed, whether or not some of its behavior adheres to a particular contract or protocol.

[Someone1234]

You seem to be taking the name of one specific company a little too literally. As I showed previously it is a public protocol that interoperates with open source clients, it isn't a black box in any way shape or form.

I feel like this discussion is getting away from the original premise:

> anyone with even a basic understanding of crypto would do things the other way around.

i.e. use PGP instead of OTR. Nobody has yet even attempted explain their reasoning as to why? Bringing up one specific vendor is a deflection, rather than an answer.

[sk5t]

You seem to be inferring focus on the name of the company more than intended. Is this not closed-source software? Might not it have some weaknesses at any point in its implementation or update mechanisms--by design or inadvertent--that put it at a disadvantage to PGP?

[Someone1234]

This discussion started because someone claimed that the crypto of one was superior the crypto of the other, the implementations aren't strictly relevant i.e.:

> anyone with even a basic understanding of crypto would do things the other way around.

Not least of all because they made no reference to which implementation of PGP they were even calling superior, only the protocol itself.

[sk5t]

The choice isn't between using OTR vs. using PGP. It's between using unaudited (but perhaps convenient) commercial software vs. using possibly-audited, offline-friendly (probably inconvenient) PGP to exchange extremely-high-sensitivity messages. The apocryphal Snowden account even appears to suggest PGP for the lower-sensitivity message.