[messaging] MITM-safe communication w/o authentication possible?

Sun Nov 29 16:36:17 PST 2015

>In other words, your way of interpreting the question basically ignores the hard problem. Of course, if you ignore the hard problem, then it's "possible".

I agree with that, the hard problem is aliasing real world identities
with cryptographic ones.

I've found, and I expect you'll disagree with me, that decomposing the
problem into "aliasing" (very hard) and encrypting (easier), helps
clarify the security requirements of particular use cases.

I would also like to point out that the RPKI was specifically designed
to prevent aliasing between cryptographic and real world
organisational identities:

"The subject name in each certificate SHOULD NOT be "meaningful",
i.e., the name is not intended to convey the identity of the subject
to relying parties."
https://tools.ietf.org/html/rfc6484#page-13

On Sun, Nov 29, 2015 at 7:15 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
> On 30/11/15 00:53, Ethan Heilman wrote:
>>> No, this is a common fallacy of "identity-based encryption".
>>
>> Correct me if I'm wrong but my understanding is that IBE is slightly
>> weaker but more useful than the protocol I described because IBE
>> places some trust in the PKG. This trust allows IBE to directly
>> connect identities to cryptographic identities. If a fallacy exists it
>> is in the protocol I described but not in IBE.
>>
>
> Ah, terminology confusion here. I was using "IBE" in the colloquial sense of "the key is the identity", which is a not-so-uncommon (ab)use of that term.
>
> Yes, in academic literature "IBE" often refers to a system where a central PKG who holds a secret can bind identity<->key information subject to this secret, that others may verify this subject to trusting the PKG.
>
> But note the original question was asking "is it possible to have a MITM-secure internet channel", no strings attached. To answer this question honestly, it's not appropriate to insert conditions in here of the form "subject to trusting the PKG". "Yes, but" means "no".
>
>>> No human user thinks in terms of contacting cryptographic identities. [..]
>>
>> I agree with what you argue here. I also agree that the system I
>> described does not work for most typical communication use cases but
>> the question was:
>>> "if it can be possible, _at least theoretically_, to have a MITM-secure internet channel without the use of PKI".
>> The answer is both yes it is theoretically possible and yes there are
>> atypical but real use cases.
>>
>> Am I correct in my understanding that .onion addresses work this way?
>>
>
> Yes, .onion address work in the same way that you described, but they also fall under what I was describing. And in fact, you can do this with *any* cryptography system today - in the UI, just display the certificate/key fingerprint instead of the URL/email-address/jabber-address, and there you go you have a "MITM-secure internet channel", where the software doesn't directly pretend to the user that they're communicating with (something other than a cryptographic key).
>
> In other words, your way of interpreting the question basically ignores the hard problem. Of course, if you ignore the hard problem, then it's "possible".
>
> (To put it another way, "self-authenticating" is a joke. My GPG fingerprint is self-authenticating too. Just go talk to 0x1318efac5fbbdbce, it doesn't matter who that is in real life.... what? no takers?)
>
> X
>
> --
> GPG: 4096R/1318EFAC5FBBDBCE
> git://github.com/infinity0/pubkeys.git