On Thu Oct 2 16:04:22 2008, Jonathan Schleifer wrote:
Am 02.10.2008 um 16:46 schrieb Dave Cridland:
As a momentary aside, this kind of setup cannot be achieved with
esessions, which mandate a symmetrical authentication.
That's new to me. Many people have authenticated me, but I haven't
authenticated them. Could you please explain what you are reffering
to?
Assymetric authentication in esessions in only possible if the SAS
code is transferred over a channel which, itself, provides only
assymetric authentication. The SAS mechanism itself is symmetric, but
can only prove the security equivalence of the two channels, thus if
the SAS side-channel has assymetric properties, then so with the
esession itself.
So if you are providing other people with the SAS code for the
esession via, say, a web page, then because all they can say about
the web page is that you have some control of it, then all they can
say about the esession is it belongs to someone with control of the
webpage.
To get a side-channel that proved your identity entirely without
disclosing anything about the other end would be quite tricky, and in
fact the only one that springs to my mind is using a CA signed
certificate and a TLS session, and given that arrangement, it seems
most useful to just use that for communications.
However, you're correct in as much as it is possible to do.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
