On 11/07/2014 11:27 am, James A. Donald wrote: > On 2014-07-11 07:45, Kevin wrote: >> On 7/10/2014 4:39 PM, John Young wrote: >>> https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ >>> > > With silent circle, when Ann talks to Bob, does Ann get Bob's public key > from silent circle, and Bob get Ann's public key from silent circle. > > If they do it that way, silent circle is a single point of failure which > can, and probably will, be co-opted by governments. > > If they don't do it that way, how do they do it. > > Obviously we need a hash chain that guarantees that Ann sees the same > public key for Ann as Bob sees for Ann. > > Does silent circle do that?
While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. If they haven't got an answer to that question, then I'd wonder if the product is a throwaway for real security purposes. (By throwaway, I mean the drug dealer's trick of using each phone/sim for one call, then dropping it in the river.) iang ps; John's point is well taken. We don't have a way to escape success being targetted. We don't have a way to pay for many small enclaves with their own tech. We're stuck in a rocky business. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
