--
James A. Donald:
>The problem is that I assume that people find each other's IP and
> transient public key through the server. I also assume the user's
> computer is insecure, the user is ignorant and careless about
> security and the user may change computers from time to time. Thus
> his public key has to be transitory. Thus the server can mount a
> man in the middle attack.
On reflection, the obvious solution to this is for the user to have his
possibly low entropy key p, and the server to keep for him a high entropy
key q.
The public key is G^(p+q).
The secret key is p+q, and the user never seeks to find out q.
The server establishes the user's identity by verifying that he knows p
corresponding to the shared secret G^p.
It then, on a secure channel established by DH, provides the user with P^q,
where P is whatever the user requests, as often as the user requests it.
If the user chooses a low entropy key, he is secure from attack by anyone
except the server, and if he chooses a high entropy key, he is secure from
attack from anyone.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
/PGGNQOAtpIk7xH+upFM0rdV+k4+OBGjvBYkINPL
4YD/VOu7b8uEkoZa8iUQzQl/Df8C0lv/g8BHrP7Lm