Re: Certificate proposal

[Jiri Baum <jirib@sweeney.cs.monash.edu.au>]

-----BEGIN PGP SIGNED MESSAGE-----

Hello tomw@orac.engr.sgi.com (Tom Weinstein) [tomw@cthulhu.engr.sgi.com]
  and cypherpunks@toad.com

TW writes:
> > In article <199510120147.LAA13833@sweeney.cs.monash.edu.au>,
> > Jiri Baum <jirib@sweeney.cs.monash.edu.au> wrote:
> >> What you are missing is that you should not say
> >> "I want to send my credit card number to Egghead Software"
> >> you should say
> >> "I want to send my credit card number to 12 34 56 78 9A BC DE F0"
> 
> > Why does this sound so much like defining the problem away?

To some extent it is...

> > Maybe I just don't get it...
> 
> I agree.  Sending your cc# to a key or an IP address is not what you
> want to do.  As a consumer, I want to make sure that I send my cc# to
> the merchant I am buying from.

But how do you know that you want to send to Egghead Software in the
first place? EHS could be a MIMT, maybe you really want to talk to
Eggfoot Software, but every e-mail Eggfoot sends out is intercepted
and changed to read "Egghead" (and vice versa)...

By the time you verify that Egghead is who you want, you could have just
as easily verified that the key is who you want. Thus skipping one step
and avoiding all the attacks applicable to that step.


Jiri
- --
If you want an answer, please mail to <jirib@cs.monash.edu.au>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMIyIdCxV6mvvBgf5AQHotgQAyEwKWYJR2sgvAyS0eQ45W3TXIaIMeKI2
darQyiz1nW70EY/X8gs3P4+MQnYF/d0QHw6dmyzrXTOYA1UgioEsB8OWy2S65uc5
PqwnVW7TL/e2tgFeuZc/nUvhw7wqgbxAJzhABlnhb6K1BwiEmYFQEqAU8x9Luczm
3cRJeqqKPYM=
=2Pdd
-----END PGP SIGNATURE-----