[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WoT discussions, Trust for Nyms

To: Adam Back <[email protected]>, [email protected]
Subject: Re: WoT discussions, Trust for Nyms
From: "Arnold G. Reinhold" <[email protected]>
Date: Mon, 8 Dec 1997 12:39:43 -0500
Cc: [email protected], [email protected], [email protected]
In-Reply-To: <[email protected]>
References: <v03007800b0ae121c8f4c@[172.17.1.150]> (message from RickSmith on Fri, 5 Dec 1997 16:19:26 -0600)
Sender: [email protected]

At 12:06 AM +0000 12/6/97, Adam Back wrote:>
>
>Another lower bandwidth method of making the MITM's job harder is to
>sign and/or publish hashes of public key databases -- download the
>keys, or some useful easily definable subset of keys on keyservers,
>and publish the hash of them in as many media as possible (web,
>finger, news, mail, newspapers, etc.)
>

I have always felt this to be a nearly complete and practical answer to
MITM attacks. Frozen versions of major key databases would be made
available on the net along with a master list of hashes. The hash of that
master list would be widely distributed by electronic and non-electronic
means. One would only have to do it periodically, say every year or two.
Why can't this be done now?

A public billboards would be a good location to post the master hash.  (I
like to call the whole approach the "Billboard defense.") I suspect one
could rent visible space on the back side of billboards quite cheaply.
Another good location would be on a bulletin board near a publicly
accessible library. The MIT "infinite corridor" comes to mind.

A variant is for PGP users to post their own fingerprint near their house
or place of business. A business-card-size sign in a window near the front
door would do. People who agree to post such signs would be identified in
the key server database. A suspicions John could then look up a suitable
public key holder in their area, visit their house, and verify the
fingerprint. John would then e-mail an encrypted request to verify a
suspect key to that person.

>Let's say John buys a book on cryptography, and the author included
>his fingerprint.  Then John could use this person to authenticate a
>key with Alice.  He could write to the author, including a nonce with
>the plaintext, and ask the author to check that the key he thought
>belonged to Alice really did belong to her.
>

My PGP fingerprint is printed on page 232 of E-mail for Dummies, 2nd
edition, IDG Books Worldwide, which I co-authored.

Arnold Reinhold

References:
- Re: Please Beta test my communications cryptography product.
  - From: Rick Smith <[email protected]>
- WoT discussions, Trust for Nyms
  - From: Adam Back <[email protected]>

Prev by Date: Re: Remailer Trivia / Re: Singapore & Freedom
Next by Date: Time Magazine on America Online pornospam and Kids Summit
Prev by thread: WoT discussions, Trust for Nyms
Next by thread: Kong Re: Please Beta test my communications cryptography product.
Index(es):
- Date
- Thread