- From: Aaron Swartz <me@aaronsw.com>
- Date: Thu, 04 Apr 2002 19:45:27 -0600
- To: "Joseph M. Reagle Jr." <reagle@w3.org>, RDF-Interest <www-rdf-interest@w3.org>
Warning: the following email assumes basic knowledge of public-key
cryptography and the Man-In-The-Middle attack.
After skipping thru lots of introductory material that most of your readers
(at leas thte ones who care) are probably familiar with, I found myself
rather confused with the article.
PKI and Web-of-Trust networks are designed to foil Man-In-The-Middle (MITM)
attacks, not who's-key-is-this? problems. It seems that your paper is aimed
at simply solving the problem of finding someone's real key in a world of
confused, but not actively malicious peers, like someone at the ISP
replacing all fingerprints and public keys with ones they've created.
Is this right, or did I misunderstand your paper?
One interesting solution to the Web-Of-Trust key-signing problem that I've
heard (from Zooko[1] is to simply sign each other's keys now, before the
enemy gets their AI MITM software working which automatically intercepts and
converts traffic to their own system of fake keys...which assumes that they
haven't gotten it working yet ;-)
[1] http://www.zooko.com/
All the best,
--
"Aaron Swartz" | Swhack Weblog
<mailto:me@aaronsw.com> | <http://blogspace.com/swhack/weblog/>
<http://www.aaronsw.com/> | something different every day
Received on Thursday, 4 April 2002 20:45:33 UTC