[messaging] PKI is dead
trevp at trevp.net
Fri Jan 23 15:05:49 PST 2015
Are we just discussing website login and Web PKI here?
If there's no direct connection to end-to-end secure messaging, could
people discuss this elsewhere?
On Fri, Jan 23, 2015 at 1:01 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Fri, Jan 23, 2015 at 1:57 AM, U.Mutlu <for-gmane at mutluit.com> wrote:
>> Back to the roots: hashed pw over MITM-safe sessions (SRP, SPEKE etc, ie.
> These aren't MITM safe. They're TOFU. They have no way to authenticate the
> When you enroll a PAKE account, if you're talking to a MITM server, you're
> toast. The MITM can then enroll with the real service on your behalf and
> transparently proxy everything through, except the MITM will have the real
> credentials, and your credentials will only work with the MITM.
> Also: passwords suck and need to go away.
> Tony Arcieri
> Messaging mailing list
> Messaging at moderncrypto.org
More information about the Messaging