[messaging] Encrypted Pulic Contact Discovery
matthew at matrix.org
Wed Aug 19 15:09:16 PDT 2015
I guess we have been considering injecting fake mappings as a serious attack. If the main trusted auth provider claims that Bill Gates' personal phone number should route to @matthew:matrix.org or xmpp:matthew at matrix.org or whatever, I will end up intercepting all of his messages... unless there is a solid reputation system either for auth providers or for the endpoints. This feels like a pretty big problem, if a single auth provider can be compromised or temporarily go rogue and start adding malicious mappings; hence looking for a way to try to keep folks honest.
> On 19 Aug 2015, at 20:01, steve at actor.im wrote:
> Hi, Matthew
> It seems that we can reduce power of auth provider. As we always rely on SMS-gates for auth and they are already much more powerfull in this case. Plus gate can only add fake numbers. What's a problem with it?
> For building secure we need more that only single auth provider. For securing some accounts people can use 2FA.
> 19.08.2015, 19:53, "Matthew Hodgson" <matthew at matrix.org>:
>> This is similar to the decentralised identity service ideas we've been experimenting with for Matrix. The problem we've hit (which I think this scheme suffers from too) is how you choose which auth providers to trust, otherwise you end up un-decentralising the system as the defacto auth provider ends up with way too much power. Do you consider this a problem?
>> We've been looking at using something like the stellar consensus protocol to propagate trust/reputation between the auth providers - or limiting ourselves to email and piggybacking on top of DKIM like webfist/webfinger.
>> p.s. does anyone know how dead/alive webfist is, and whether/why it failed?
>> Matthew Hodgson
>>> On 19 Aug 2015, at 17:26, steve at actor.im wrote:
>>> Hello everyone!
>>> Just finished small article about one idea of secure contact discovery: https://medium.com/@ex3ndr/encrypted-public-contact-discovery-95cfa0a0f6c7
>>> Messaging mailing list
>>> Messaging at moderncrypto.org
More information about the Messaging