On Wed, Mar 6, 2013 at 6:33 AM, StealthMonger <[email protected]> wrote: > ... > >> The key, and the hash of the key, is a long string of random >> gibberish. It should not be visible to end users. Experience >> demonstrates that showing it repels 99% of end users. > > Merchant includes its telephone number in every advertisement and > repeatedly admonishes prospects to call. > > The telephone number may be a long string of random digits. Yet end > users understand that they have to use it if they want to follow up. You've moved the problem around again :)
I have thought about a pre-recorded telephone messages to provide authenticity assurances. What do we do when the telecoms are in bed with the government? Its happened in real life: the US Congress passed a law that it [unauthorized wiretapping and domestic spying] was OK after the fact, even though it was illegal before the incident (https://www.eff.org/nsa-spying). Is there any difference between spying and tampering? In the end, I think telephone based assurances are an untrusted channel. The risk may be acceptable to you based on your data sensitivity. I choose not to trust them (it's part of my 'infrastruture is insecure' mantra). Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
