Simon Josefsson <[EMAIL PROTECTED]> wrote: > You can transform an OpenPGP key fingerprint into a SAS-like string, > if that makes you feel better, and ask users to verify that. Hash the > OpenPGP fingerprint, truncate it and encode it using the same length > and characters as used by SAS today.
That is basically "just take the sort version of the fingerprint", which you can read everywhere, is not enough, as only that part is easy forgable. > If you don't think that is acceptable, the challenge is yours to come > up with something better. The security industry have been trying for > many years... I'm not aware of any technology that is more secure and > simpler to use than TLS+OpenPGP with user-assisted fingerprint > verification, but I'd love to hear your counter-proposal. The SAS is done with the DH values calculated at session negotiation, so you see if there's MITM because they don't match then. > Disclaimer: I haven't studied the ESession protocol. Maybe you should ;). It's done there like this. -- Jonathan
signature.asc
Description: PGP signature
