[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WoT discussions, Trust for Nyms
At 12:06 AM +0000 12/6/97, Adam Back wrote:>
>
>Another lower bandwidth method of making the MITM's job harder is to
>sign and/or publish hashes of public key databases -- download the
>keys, or some useful easily definable subset of keys on keyservers,
>and publish the hash of them in as many media as possible (web,
>finger, news, mail, newspapers, etc.)
>
I have always felt this to be a nearly complete and practical answer to
MITM attacks. Frozen versions of major key databases would be made
available on the net along with a master list of hashes. The hash of that
master list would be widely distributed by electronic and non-electronic
means. One would only have to do it periodically, say every year or two.
Why can't this be done now?
A public billboards would be a good location to post the master hash. (I
like to call the whole approach the "Billboard defense.") I suspect one
could rent visible space on the back side of billboards quite cheaply.
Another good location would be on a bulletin board near a publicly
accessible library. The MIT "infinite corridor" comes to mind.
A variant is for PGP users to post their own fingerprint near their house
or place of business. A business-card-size sign in a window near the front
door would do. People who agree to post such signs would be identified in
the key server database. A suspicions John could then look up a suitable
public key holder in their area, visit their house, and verify the
fingerprint. John would then e-mail an encrypted request to verify a
suspect key to that person.
>Let's say John buys a book on cryptography, and the author included
>his fingerprint. Then John could use this person to authenticate a
>key with Alice. He could write to the author, including a nonce with
>the plaintext, and ask the author to check that the key he thought
>belonged to Alice really did belong to her.
>
My PGP fingerprint is printed on page 232 of E-mail for Dummies, 2nd
edition, IDG Books Worldwide, which I co-authored.
Arnold Reinhold