On Tue, Sep 9, 2014 at 9:35 AM, Daniel Kahn Gillmor <[email protected]> wrote:
> 1) i regularly communicate with "foo" on twitter, and i want to know > how to communicate with the author in other communications channels. > > I think the proposed publications only (marginally) addresses use case > (1) If you have your key fingerprint published through many channels, someone concerned with actually verifying your key fingerprint can check them all to ensure they match. If there's a discrepancy, something is probably amiss. Perhaps an attacker managed to compromise them all and update your key fingerprints in all locations to confuse a victim into sending the attacker an encrypted message. Sure, it's not a great solution. It's an OK solution, however. Certainly better (from a security, not usability perspective) than TOFU. Short of things like Google's proposed CT-alike for E2E looking for dishonest Key Directories, I'm not sure how you do better. -- Tony Arcieri
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
