[messaging] PKI is dead
U.Mutlu
for-gmane at mutluit.com
Fri Jan 23 19:07:04 PST 2015
Tao Effect wrote, On 01/24/2015 03:47 AM:
> On Jan 23, 2015, at 6:37 PM, U.Mutlu <for-gmane at mutluit.com> wrote:
>>
>> Why am I wrong? Where is your argument?
>
> Several people have replied to you and presented arguments which you have
> either ignored or misunderstood.
>
> Michael mentioned:
>
>> Without PKI it’s a duckling model at best, and you don’t log into every
>> website every time with a password.
because his argument was off-topic as the discussion is about messaging, not
web surfing.
And: login authentication requires obviously a login, but if there is no need
for a login then there is no need to go to the website with a password...
> Tony pointed out:
>
>> These aren't MITM safe. They're TOFU. They have no way to authenticate
>> the server.
>>
>> When you enroll a PAKE account, if you're talking to a MITM server,
>> you're toast. The MITM can then enroll with the real service on your
>> behalf and transparently proxy everything through, except the MITM will
>> have the real credentials, and your credentials will only work with the
>> MITM.
>
> Your reply to him didn't address the argument he was making, possibly
> indicating that you probably misunderstood what he was saying about TOFU
> (trust-on-first-use).
I think I have already addressed his arguments. I don't believe TOFU is safe,
my described method is better.
cu
Uenal
>
> Cheers, Greg
More information about the Messaging
mailing list