[messaging] twitter and github as key validators [was: Re: key validation rules for today]
Tony Arcieri
bascule at gmail.com
Tue Sep 9 13:09:17 PDT 2014
On Tue, Sep 9, 2014 at 9:35 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:
> 1) i regularly communicate with "foo" on twitter, and i want to know
> how to communicate with the author in other communications channels.
>
> I think the proposed publications only (marginally) addresses use case
> (1)
If you have your key fingerprint published through many channels, someone
concerned with actually verifying your key fingerprint can check them all
to ensure they match. If there's a discrepancy, something is probably amiss.
Perhaps an attacker managed to compromise them all and update your key
fingerprints in all locations to confuse a victim into sending the attacker
an encrypted message. Sure, it's not a great solution. It's an OK solution,
however. Certainly better (from a security, not usability perspective) than
TOFU.
Short of things like Google's proposed CT-alike for E2E looking for
dishonest Key Directories, I'm not sure how you do better.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/a82fcbea/attachment.html>
More information about the Messaging
mailing list