[messaging] MITM-safe communication w/o authentication possible?
Ethan Heilman
eth3rs at gmail.com
Sun Nov 29 16:20:47 PST 2015
>No, they're hashes of public keys. Self authenticating.
>Same as Tor, self authenticating addresses.
Not sure why you said no, I was claiming they were self authenticating
hashes of public keys.
Me: "network address of every node in the network is the hash of their
public key".
>The distribution of the name is itself the PKI mechanism.
Not sure what you mean here? I would really appreciate it if could you
point me to some resources that explain how "the distribution of the
name is itself the PKI" as it sounds like an interesting point? Are
you referring to DigiCert offering cert signing for .onions?
>Doesn't help against plagiarism or other forgery. See the method on winning against chess grandmasters - make yourself the proxy in between two chess grandmasters who both see your name and don't know do they really are playing against.
This is an excellent point, however I don't see how PKIs solve this
problem either and the solutions do exist under certain assumptions
(such as a secure distributed public ledger) that do not require a
PKI.
On Sun, Nov 29, 2015 at 7:00 PM, Natanael <natanael.l at gmail.com> wrote:
>
> Den 30 nov 2015 00:53 skrev "Ethan Heilman" <eth3rs at gmail.com>:
>
>> I agree with what you argue here. I also agree that the system I
>> described does not work for most typical communication use cases but
>> the question was:
>> >"if it can be possible, _at least theoretically_, to have a MITM-secure
>> > internet channel without the use of PKI".
>> The answer is both yes it is theoretically possible and yes there are
>> atypical but real use cases.
>>
>> Am I correct in my understanding that .onion addresses work this way?
>
> No, they're hashes of public keys. Self authenticating. The distribution of
> the name is itself the PKI mechanism.
>
>> I would also expect that this could be useful for:
>>
>> 1. self-organizing sensor networks,
>
> Under what threat model?
>
>> 2. pseudonymous internet forums (user A wants to send a message to the
>> user that write post X, user A doesn't care about that user's 'true
>> name'),
>
> Doesn't help against plagiarism or other forgery. See the method on winning
> against chess grandmasters - make yourself the proxy in between two chess
> grandmasters who both see your name and don't know do they really are
> playing against.
>
> In other words, stripping out attribution and substituting your own is easy.
>
>> 3. and cryptocurrency transactions.
>
> Same as Tor, self authenticating addresses.
More information about the Messaging
mailing list