Am 06.10.2008 um 00:44 schrieb Dave Cridland:
You see, there is a reasonable asusmption by the police that the endpoints of the esession must be as you expect, since you are continuing the session, and without that expectation on your part, the channel could be, or is, compromised, and based on your apparent intent to talk to the police in a secure manner, it is a reasonable assumption to make, I think.
Yes, but unlike a key, an SAS doesn't identify you.
Are you still claiming I "clearly don't get" some concept, or can we move on?
Then I don't get why you suggest putting a SAS on a webpage - which would be completely pointless.
Web pages are not immutable, and new web pages can be created. I fail to see this as being a problem. Even if I were somehow mistaken about the web - I did my first HTTP/1.1 implementation about 11.5 years ago, but I'm hardly an expert - I don't see this has having much to do with the question at hand, that is, the symmetry of authentication inherent in a SAS based mechanism.
Using a web page, an attacker could also get the SAS. And you can't share the SAS there in advance.
The situation of talking to the police is clearly a situation where you want a public key, not an SAS - this is why I thought you didn't get how SAS works.
Pick one, and please explain your choice.
I don't really understand your point, sorry.You mean that by continuing the conversation I tell the other side that it matched? If it doesn't match, I could just keep on talking with the other side, but tell useless stuff instead of the stuff I originally intended to say. So this doesn't tell the other side whether it matched or not, IMO.
-- Jonathan
PGP.sig
Description: This is a digitally signed message part
