On 02/22/2016 04:03 PM, Guido Witmond wrote: > If either the blogger or responder wishes to send a private message, > they can use the others' persons public key after validating there is no > MitM. Message transport goes through the site. After a few round trips > of messages, there is certainty there is no MitM. The website http://eccentric-authentication.org/ says: > With the use of DNSSEC and a validation service to check that each > certificate is issued only once we can prevent Man-in-the-Middle > attacks Could you explain how you validate that there is no MitM, and why a few round trips would make this certain? Do we not have to trust the validation service not to issue more than one certificate? I.e., the website or validation service can be the MitM.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk