[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Acceptance of Keys

To: ASTMWILL%[email protected]
Subject: Acceptance of Keys
From: Karl L. Barrus <[email protected]>
Date: Mon, 4 Jan 93 14:03:15 -0600
Cc: [email protected]
In-Reply-To: Matt Willis's message of Mon, 4 Jan 1993 12:50 EST <[email protected]>

Matt,

	You posted some very good questions.  The reason why it is
"unacceptable" to accept keys electronically is that you may be
vulnerable to spoofing.  Okay, in reality, you have to realize that
attacking cryptographic protocols is a paranoid view of things, and
that you may not be attacked, but... if you send your public key to
somebody, it could be possible for someone to eavesdrop, grab your
key, substitute their own, and send that one along.  Then when someone
responds to "you", the eavesdropper could read the message, re-encrypt
it with the public key they stole, and send it along to you.  Then,
you don't even know you are the victim of eavesdropping.
	Anyway, it all boils down to validating the keys you receive.
Which makes it tough unless you can meet people face to face.
However, the latest version of pgp contains an option which computes
the md5 hash of your public key - which allows you to call someone,
and read each others hashes, thus completing the verification over the
phone.  Of course, now you have to worry about receiving their correct
phone number... :-)
	
/-----------------------------------\
| Karl L. Barrus                    |
| [email protected] (NeXTMail) |
| [email protected]             |
\-----------------------------------/

References:
- Acceptance of Keys
  - From: Matt Willis <ASTMWILL%[email protected]>

Prev by Date: Re: The Need for Positive Repuations
Next by Date: Re: Return addresses
Prev by thread: Acceptance of Keys
Next by thread: Re: RE: Acceptance of Keys
Index(es):
- Date
- Thread