[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate proposal


Hello [email protected] (Tom Weinstein) [[email protected]]
  and [email protected]

TW writes:
> > In article <[email protected]>,
> > Jiri Baum <[email protected]> wrote:
> >> What you are missing is that you should not say
> >> "I want to send my credit card number to Egghead Software"
> >> you should say
> >> "I want to send my credit card number to 12 34 56 78 9A BC DE F0"
> > Why does this sound so much like defining the problem away?

To some extent it is...

> > Maybe I just don't get it...
> I agree.  Sending your cc# to a key or an IP address is not what you
> want to do.  As a consumer, I want to make sure that I send my cc# to
> the merchant I am buying from.

But how do you know that you want to send to Egghead Software in the
first place? EHS could be a MIMT, maybe you really want to talk to
Eggfoot Software, but every e-mail Eggfoot sends out is intercepted
and changed to read "Egghead" (and vice versa)...

By the time you verify that Egghead is who you want, you could have just
as easily verified that the key is who you want. Thus skipping one step
and avoiding all the attacks applicable to that step.

- --
If you want an answer, please mail to <[email protected]>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)

Version: 2.6.2i