[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor for everyone; introducing Eccentric Authentication

On 25.02.16 01:26, Guido Witmond wrote:
On 02/24/16 23:26, juan wrote:
On Wed, 24 Feb 2016 23:04:39 +0100
Guido Witmond <guido@xxxxxxxxxx> wrote:

My drive is to make key exchange happen as a natural part of normal
interactions between people.
	So teach people how to exchange keys.
Teaching is not a solution. See Peter Gutmann's book Security
Engineering. 800+ Pages of disasters with security. Depressing and
enlightening ;-)
A magic wand is a solution. :-)

Not as a separate step that could be
neglected, forgotten or done wrong.
	Ah you want key exchange without key exchange? That is, of
	course, absurd.
I don't want *people* to exchange keys. I envision people to exchange
names and let computers do the key lookup.

So the exchange of a human readable name - the id@site - implies that I
can deduce the correct public key. The one-to-one relationship between
names and keys makes it easy for humans to excahnge a name and for the
computer to figure out the correct public key.

So, to answer your question: people communicate id@site names, the
computer verifies the uniqness properties to determine the corresponding
public keys. The requirement to make the relation between names and
public keys is key. Pun intended.

Though I don't understand your protocol, I don't like id@site names. That site belongs to a corporation, so I depend on a corporation which I can't control. There is a more fundamental problem with human readable names. There is competition for nice names like "sex" or "casino", for example, in the domain of domain names. This competition is resolved with auctions. So a human readable name is paid, and its owner depends on the registrar.Public key fingerprints are a solution to both problems.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to