On Wednesday 21 November 2007 01:46, you wrote: > Matthew Toseland wrote: > > You're talking about geeks. And even they don't usually go to the effort. But > > this whole conversation kicked off when you said files were inconvenient. :) > > They are inconvenient - if I could convince the rest of the world to use > short refs, I would. But not passwords, that would be a step backwards. ;-) > > > I still don't see how you are going to use them. Bob makes up a password and > > gives it to Alice out of band over the phone. Alice proves she has the > > password through a challenge/response. Alice gets 3 tries. What's the attack > > vector? > > Sorry, I misunderstood. I thought you were proposing that there should > be no up-front exchange of pubkeys/passwords, but after establishing the > connection it should be checked for MITM attacks by generating a > password from the JFK pubkeys and verifying it OOB (like Zfone does).
Well, suppose we did this. 128 bits is 25 characters. We add one character for redundancy (checksum). One advantage is it only needs to be exchanged in one direction. This would seem at the moment to be the simplest option. And we then only need to exchange IP:port in advance. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20071122/e1ced116/attachment.pgp>
