On Fri, 29 Aug 2008 12:11:11 +0100 Pedro Melo <[EMAIL PROTECTED]> wrote:
> Hi, > > On Aug 29, 2008, at 11:12 AM, Dirk Meyer wrote: > > Pedro Melo wrote: > >> On Aug 26, 2008, at 2:41 PM, Dirk Meyer wrote: > >> > >>> in case you do not read Slashdot or follow Usenix publications, > >>> here is an interessting link: > >>> http://www.cs.cmu.edu/~perspectives/perspectives_usenix08.pdf > >>> > >>> The question is: who is the Notary Server in our case. It can not > >>> be the XMPP server because the XMPP is one of the view points an > >>> attacker > >>> could be. > >> > >> I read it and my first though was: what is the advantage of a > >> notary to a web of trust? > > > > IMHO it is more like the Byzantine Fault Tolerance. You do not have > > to trust the notary server, you just assume that maybe one or two > > may be lying, but not all of them. > > > > When I want to open a secure connection to you I could ask five > > notary servers around the globe (e.g. different XMPP server in a > > different domain). If four out of five report the same fingerprint > > for you I could trust it. If they also report that the fingerprint > > is the same for half a year now, I can be sure it is yours. Ok, it > > is not 100% correct, but an attacker must manipulate many different > > server to fake your key and an attacker can not know which notary > > servers I will ask. > > Well, I have this thing called a roster, and some of them I already > have certified as being the person I expect them to be. And for some > of those, I actually trust their judgement. So why not asking them > if they know this person? And if yes, what's the signature they know > them by? Web of trust? PGP? > I'm not saying that the Perspectives proposal is bad, not at al. I > think its a great way to bootstrap and if it goes forward, something > we could try and use. But this is XMPP-la-la-land, and maybe we can > leverage our strengths (aka, the roster) to have something better. > > Best regards, -- Web: http://www.pavlix.net/ Jabber & Mail: pavlix(at)pavlix.net OpenID: pavlix.net
