[messaging] The Simple Thing

David Leon Gil coruus at gmail.com
Thu Oct 2 06:33:16 PDT 2014

On Thursday, October 2, 2014, Ben Laurie <ben at links.org> wrote:

> On 25 September 2014 09:48, Trevor Perrin <trevp at trevp.net <javascript:;>>
> wrote:
> The difference is that with CT the user whose key changes necessarily
> becomes aware that it has changed. In "the simple thing?" only the
> targeted user of the key is aware of this change.

CT makes detecting key changes symmetric between the parties that intend to

Traditional TOFU gives MitMs a *choice* of who to target. This makes things
easier for adversaries in a lot of common situations. (E.g., impersonate
the MBA to the crypto guy, or the crypto guy to the MBA?)

It seems odd to argue that scheme A is better than scheme B because A
> reduces the chance of detection of badness vs B and thus doesn't raise
> the problem of what you do about that badness...

+1. I'd note, as well, that TOFU/pinning is not inherently incompatible
with CT: TOFU could be used by the correspondents of someone who wants
their public key to be secret, while they use CT to confirm others' keys.

BTW, it seems to me that getting to the state where key changes are
> rare would be useful in either case.

This seems impossible without large investments in securing hardware.
There's some secure-ish hardware available in the certificate case (a few
HSMs). But for the messaging case, we don't even have that...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141002/32e1cfb7/attachment.html>

More information about the Messaging mailing list