[messaging] PKI is dead
Tao Effect
contact at taoeffect.com
Fri Jan 23 18:47:53 PST 2015
On Jan 23, 2015, at 6:37 PM, U.Mutlu <for-gmane at mutluit.com> wrote:
>
> Why am I wrong? Where is your argument?
Several people have replied to you and presented arguments which you have either ignored or misunderstood.
Michael mentioned:
> Without PKI it’s a duckling model at best, and you don’t log into every website every time with a password.
Tony pointed out:
> These aren't MITM safe. They're TOFU. They have no way to authenticate the server.
>
> When you enroll a PAKE account, if you're talking to a MITM server, you're toast. The MITM can then enroll with the real service on your behalf and transparently proxy everything through, except the MITM will have the real credentials, and your credentials will only work with the MITM.
Your reply to him didn't address the argument he was making, possibly indicating that you probably misunderstood what he was saying about TOFU (trust-on-first-use).
Cheers,
Greg
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> Tony Arcieri wrote, On 01/24/2015 03:28 AM:
>> On Fri, Jan 23, 2015 at 6:22 PM, U.Mutlu <for-gmane at mutluit.com> wrote:
>>
>>> So, this is a safe & secure method.
>>
>> No, you're wrong, it's not, but please move this discussion to a more
>> appropriate mailing list and I'll continue the discussion.
>
> Why am I wrong? Where is your argument?
> This is basic maths everyone can verify him-/herself.
>
> And, I'm on-topic for this list, as it is about messaging.
> If you don't like the discussion under this topic, then it is you who should move along to other topics or lists...
>
> cu
> Uenal
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150123/3a76e4ed/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150123/3a76e4ed/attachment.sig>
More information about the Messaging
mailing list