Search Mailing List Archives
[liberationtech] PGP is hard to use and needs stuff installed on your computer. Use PassLok instead.
steveweis at gmail.com
Mon Jul 29 14:14:21 PDT 2013
Hi. I think you're slowly reinventing PGP.
Just to summarize what you have so far:
1. Alice and Bob each generate key pairs locally.
2. Both securely store their private keys.
3. Both generate hash values of their public keys.
4. Both mutually exchange public keys over an untrusted channel.
5. Both use some existing trusted communication channel to manually
verify their keys.
6. Alice encrypts a password with Bob's public key and sends it to Bob.
7. Alice uses the password to encrypt a message using server-side code.
8. Bob decrypts the message with the password using server-side code.
#1-#3 require client-side software and secure key storage.
#5 assumes that there is a safe communications channel already.
#6 is not forward secure.
#7-#8 are vulnerable to attacks on the server.
#8 is vulnerable to phishing.
On Mon, Jul 29, 2013 at 1:52 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
> Hi Tony, I actually worried about this quite a bit. The best solution I
> could think of is making a hashed ID
> of the public key (PassLok has a button for that), which Alice/Bob can
> dictate over the phone, thus authenticating
> the key.
More information about the liberationtech